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Foreword 

The Center for Substance Abuse Treatment (CSAT) of the Substance Abuse and Mental Health 
Services Administration (SAMHSA) is pleased to present this document, Number 18 in the 
Technical Assistance Publication (TAP) series. Alcohol and drug treatment and prevention 
program staff and management, as well as State agency officials often have questions about the 



disclosure of information relating to alcohol and other drug (AOD) diagnosis and treatment. This 
TAP is designed to answer some of those questions. It provides an easy-to-use checklist that 
should enable both AOD programs and State and other government monitoring agencies to 
quickly detennine whether a breach of patient confidentiality has occurred under the Federal law 
and regulations governing patient confidentiality. 

This TAP is one of several products developed by the Legal Action Center pursuant to a grant by 
CSAT to provide information on improving methods of collaboration between AOD treatment 
and prevention programs and State public health providers. 

Appendix B in this document is a presentation on the emerging issue of managed care and its 
impact on the confidentiality of AOD records. This is another area of concern to AOD programs 
and State government agencies. It is also an area in which these agencies are having to interact 
with new health care entities such as health maintenance organizations (HMOs). 

Nothing in this publication should be construed as authorizing or permitting any person to 
perform an act that is not permitted under the regulations governing confidentiality of substance 
abuse patient records as cited throughout these materials, or by any other Federal or State laws. 

David J. Mactas 
Director 

Center for Substance Abuse Treatment 

Introduction 


The Federal alcohol and other drug (AOD) confidentiality law requires covered programs to 
strictly maintain the confidentiality of AOD patient records. The law (42 U.S.C. § 290dd-2) and 
its accompanying regulations (42 C.F.R. Part 2, referred to in this guide as "the regulations" 
came about through Congress' recognition that safeguards on privacy serve the important 
purpose of encouraging persons to seek AOD dependence care by preventing the disclosure of 
information related to their AOD diagnosis and treatment, which could stigmatize them in their 
communities. 

Although remarkably effective, the laws are also complex. Questions about which disclosures are 
and are not permissible sometimes confuse AOD treatment programs and the State agencies 
responsible for funding and evaluating them. This guideline is designed to alleviate some of that 
confusion. It provides an easy-to-use checklist that should enable the compliance personnel of 
both AOD programs and State and other government monitoring agencies to quickly determine 
whether complaints alleging a breach of patient confidentiality are justified under the Federal 
confidentiality law. 

Two important caveats apply. First, this checklist should only be consulted to determine 
whether a prior disclosure complied with the law. It should not be consulted to determine 
whether to make a disclosure in the first instance. For such decisions, programs and State agency 
staff should consult more detailed analyses of the Federal regulations, such as that contained in 



the Legal Action Center's book, Confidentiality: A Guide to the Federal Law and Regulations. 
Because the checklist is written in summary form (hence its easy-to-use style), sole reliance on it 
could result in inadvertent breaches of the regulations. 

The second caveat is that when using the checklist for its intended purpose-to evaluate whether 
prior communications complied with the law-compliance personnel should consult more 
detailed analyses in order to understand the nuances of the law. In short, the checklist 
provides a conceptual framework and the basic principles to guide compliance personnel. In 
complex cases, compliance personnel should consult a more comprehensive source. 

The best way to use the guide is as follows. In all instances, consult Sections I and II first. Begin 
with Section I to determine whether the regulations even apply to the alleged confidentiality 
violation. For example, was the alleged breach by a "program" and about a "patient" as those 
terms are defined in the regulations? Second, consult Section II to determine whether a 
"disclosure" of patient-identifying information was made. Only after concluding that the 
regulations apply (Section I) and that a disclosure of patient-identifying information was made 
(Section II), will one need to consult Sections III-V to detennine whether the disclosure was 
authorized under the regulations. Sections III: A-I cover nearly all of the rules (sometimes called 
"exceptions") that authorize AOD programs to disclose patient-identifying information. 
Compliance personnel first should consult those rules that most likely apply. If a rule applies, 
one need not go further. The communication was legal under the regulations. If a rule does not 
apply, consult other rules to see if they apply. Section III does not cover absolutely every rule in 
the regulations. For example, it omits discussion of the rules about reporting vital statistics (§ 
2.15(b)) and central registries for methadone and detoxification programs (§ 2.34). Compliance 
personnel should consult the regulations directly for any rules not covered by this checklist. 
Section IV discusses search and arrest warrants, which are related to the discussion in Section 
IV-I. The two sections should be read in tandem. Finally, Section V discusses the regulations as 
they apply to persons who are not formally part of an AOD program but who nevertheless are 
bound by the regulations because they received patient-identifying information from an AOD 
program in circumstances authorized by the regulations. 

Within each section and its subparts, there is a checklist that the user can follow to ascertain 
whether the disclosure complied with the law, followed by a summary of the rule. 

In using the guide, bear in mind that in addition to the Federal law, many States may have 
laws and regulations that govern the confidentiality of AOD information. Make sure that 
you are familiar with such State laws; this guide does not incorporate them. 

Most States also have laws governing the confidentiality of HIV-related infonnation (HIV 
confidentiality is determined only by State law; there is no Federal HIV confidentiality law), as 
well as the confidentiality of mental health and medical records. This guide does not address 
those State laws. Thus, even if a disclosure complies with the Federal AOD confidentiality law, 
compliance personnel might also choose to detennine whether the disclosure violates any State 
confidentiality laws (e.g., those pertaining to AOD, HIV, mental health, or medical records). 



For instances in which a State's confidentiality law (AOD or otherwise) is more restrictive than 
the Federal law, a program must follow the stricter State law. For example, if a program has 
disclosed a patient’s HIV status after the patient has signed a consent fonn that is proper under 
the Federal AOD confidentiality law, compliance personnel must also determine whether the 
State imposes any additional requirements for disclosing HIV-related information (e.g., a special 
HIV consent form). 

For instances in which a State's confidentiality law or any other State law is less protective of 
confidentiality than the Federal law, however, the Federal law controls. For example, if a State 
law mandates a program to notify parents about certain conduct by minor patients, but the 
Federal regulations absolutely prohibit such disclosure, the program cannot make the disclosure; 
the Federal law controls. However, there is usually a way to disclose properly under the Federal 
law, for example, by obtaining patient consent or a court order that meets the Federal 
requirements. Accordingly, there is rarely an irreconcilable conflict with State law. 

In addition, under 45 C.F.R. Part 96.132(e), States that receive Federal block grant funding for 
AOD treatment services, are required to: 

have in effect a system to protect from inappropriate disclosure patient records 
maintained by the State in connection with an activity funded under the program involved 
or by any entity which is receiving amounts from the grant and such system shall be in 
compliance with all applicable State and Federal laws and regulations including 42 CFR 
part 2. This system shall include provisions for employee education on the confidentiality 
requirements and the fact that disciplinary action may occur upon inappropriate 
disclosures. This requirement cannot be waived. 


Checklist for Monitoring Alcohol and Other 
Drug Confidentiality Compliance 

I. DOES 42 C.F.R. PART 2 APPLY? 

A. WAS THE ALLEGED DISCLOSURE MADE BY A "PROGRAM"? 

Issue: Is the individual or entity that made the alleged disclosure a "program" covered by 
42 C.F.R. Part 2? 

1. Does the individual or entity that allegedly made the disclosure receive Federal financial 
assistance in any one of the following ways: 



direct Federal funding; Y_N 


• is operated by the Federal Government or by a State or local government that 
receives funds that could be (but are not necessarily) spent for the alcohol and 
other drug (AOD) program; Y_N_ 


• Federal block grants or other funds channeled through State or local 
government; Y_N_ 


• licensure, certification, or registration by the Federal Government, for example: 
Y N 


-authorization to conduct methadone maintenance treatment; 

-certification for Medicare reimbursement; or 

-authorization to dispense a substance under the Controlled Substances Act for use in 
treating AOD abuse. 

• exemption from Federal taxation? Y_N_ 

If the answer to any of the questions is "yes," go to question 2. 

If the answer to all of the questions is "no," the individual or entity that allegedly made 
the disclosure is not a "program" as defined by the regualtions. Go to question 7 to 
determine whether the entity is otherwise bound by the regulations. 

2. Was the alleged disclosure made by a general medical care facility or a unit of a general 

medical care facility? Y_N_ 

If "yes," go to question 3. 

If "no," go to question 6. 

3. Does the general medical care facility (or unit of such facility) that allegedly made the 

disclosure hold itself out as providing and actually provide AOD abuse diagnosis, 
treatment, counseling, or referral for treatment? Y_N_ 

If "yes," go to question 8. 

If "no," go to question 4. 



4. Was the alleged disclosure made by a staff member of a general medical care facility 

whose primary function is the provision of AOD abuse diagnosis, counseling, treatment, 
or referral for treatment? Y_N_ 

If "yes," go to question 5. 

If "no," the alleged disclosure was not made by a "program" as defined by the 
regulations. Go to question 7 to determine whether the regulations otherwise apply. 

5. Is such staff member identified as having the primary function of providing AOD abuse 

diagnosis, counseling, treatment, or referral for treatment? Y_N_ 

If "yes," go to question 8. 

If "no," the individual who made the alleged disclosure is not a "program" as defined by 
the regulations. Go to question 7 to detennine whether the individual is otherwise bound 
by the regulations. 

6. Was the alleged disclosure made by an individual or entity that holds itself out as 

providing and does provide AOD abuse diagnosis, treatment, counseling, or referral for 
treatment? Y_N_ 

If "yes," go to question 8. 

If "no," the individual or entity that made the alleged disclosure is not a "program" as 
defined by the regulations. Go to question 7 to detennine whether the regulations 
otherwise apply. 

7. Does State law, regulation, or licensing requirement bind the individual or entity to the 

standards of 42 C.F.R. Part 2? Y_N_ 

If "yes," the individual or entity that allegedly made the disclosure should be considered a 
"program" bound by the regulations. Go to Section I.B. 

If "no," see Section V to detennine whether the individual or entity that allegedly made 
the disclosure is otherwise bound by the regulations because it received patient- 
identifying information from an AOD program. 

8. Was the information that was allegedly disclosed maintained in connection with the 
Department of Veterans Affairs’ provision of hospital care, nursing home care, 
domiciliary care and medical services under Title 38 of the U.S. Code? Y N_ 

If "yes," the regulations do not apply. Consult 38 U.S.C. 4132 and the regulations issued 
under that authority by the Secretary of Veterans Affairs. 

If "no," go to question 9. 

9. Was the information that was allegedly disclosed obtained by any component of the 

Armed Forces during a period when the patient was subject to the Uniform Code of 
Military Justice? Y_N_ 



If "yes," go to question 10. 

If "no," the individual or entity that made the alleged disclosure is a "program." Go to 
Section I.B. 

10. Was the alleged disclosure made within the Armed Forces or between the Armed Forces 
and those components of the Department of Veterans Affairs furnishing health care to 
veterans? Y_N_ 

If "yes," stop here because the individual or entity that made the alleged disclosure is not 
a "program" under the regulations. The regulations do not apply. 

If "no," the individual or entity that made the alleged disclosure is a "program." Go to 
Section I.B. 

Summary of the Rule 

The Federal regulations only apply to "programs" as defined under the law (§ 2.11). "programs" 
are organizations or individual practitioners who: 

a. receive Federal assistance—Such assistance exists when the program is directly funded 
by the Federal Government, is operated by the Federal Government or by a State or local 
government that receives Federal funds that could be (but are not necessarily) spent for 
the AOD program, is registered or certified by the Federal Government (e.g., certified for 
Medicare reimbursement), receives Federal block grant or other funds through a State or 
local government, is licensed directly by the Federal Government (e.g., to dispense 
methadone), or is exempted from taxes under the Federal Internal Revenue Code (i.e., is a 
not-for-profit tax-exempt corporation); and 

b. provide and hold themselves out as providing AOD diagnosis, counseling, treatment, 
or referral for treatment. The regulations apply to both free-standing programs and 
programs that are part of larger organizations, such as a detoxification unit within a 
general hospital, an AOD clinic within a county mental health department, an AOD unit 
within an employee assistance program or student assistance program, or an AOD 
program within a managed care program that provides direct medical services (§ 
2.12(e)(1)). 

With respect to general medical care facilities, in addition to identified AOD units, the 
regulations apply to medical personnel or other staff whose primary function is the 
provision of AOD abuse diagnosis, counseling, treatment, or referral for treatment and 
who are identified as such (§ 2.11). The regulations do not apply, however, to hospital 
emergency room personnel unless their primary function is the provision of the AOD 
services listed in number 2 above and the person is identified as providing such services 
or the emergency room has promoted itself to the community as a provider of such 
services (§2.12). 


The regulations apply to all program employees, volunteers, student interns, former staff, 
and executive, administrative, clinical, and support personnel. 



The regulations do not apply to information on AOD patients maintained in connection 
with various Department of Veterans Affairs programs or to information maintained by 
the Armed Forces if the disclosures are within the Armed Forces or between the Armed 
Forces and the Department of Veterans Affairs (§ 2.12(c)(l)-(2)). 

Some States have enacted laws or regulations that require certain AOD facilities to 
adhere to the requirements of the Federal regulations even if they are not otherwise bound 
by them. Moreover, some third parties (entities that are not AOD programs) may become 
bound by the regulations if they receive patient-identifying information from an AOD 
program. See Section V for a discussion of such third parties. 

B. DOES THE COMPLAINT PERTAIN TO A "PATIENT"? 

Issue. :1s the person whose confidentiality allegedly was breached a "patient." whose 
records are confidential under 42 C.F.R. Part 2? 

1. Did the person whose confidentiality was allegedly breached ever apply for or receive 
from an AOD program any of the following: 

• a diagnostic examination or interview?Y_N_ 


• treatment or counseling? or Y_N 


• referral for treatment? Y_N_ 

If the answer to any of the questions is "yes," he or she is a "patient" protected by the 
regulations. Go to Section II. 

If the answer to all of the questions is no, then he or she is not a "patient." Stop here 
because the regulations do not apply. 

Summary of the Rule 

Even if the alleged disclosure was made by a "program," the regulations only apply if the person 
whose confidentiality allegedly was breached was a "patient." A "patient." is anyone who has 
applied for or received a diagnostic examination or interview, counseling, treatment, or referral 
for treatment for AOD abuse from a program (§2.11). 

Applicants for such AOD services are covered by the regulations even if they fail to show for an 
initial appointment that they arranged or, having been interviewed or diagnosed, elect not to 
follow up or enter treatment. 


The regulations protect current, former, and deceased patients. 



II.WAS THERE A "DISCLOSURE" OF PATIENT-IDENTIFYING INFORMATION? 


Issue :Did the disclosure reveal "patient-identifying information?" 

1. Did the person making the disclosure indicate that: 

• he or she was from an AOD abuse program? or Y_N 


• the person about whom the disclosure was made was an AOD abuser or had ever 
applied for or received diagnosis, treatment, counseling, or referral for 
treatment? Y_N_ 

If the answer to both questions is "no," the program did not make a "disclosure" of patient 
identifying information. Stop here because there was no violation. 

If the answer to either question is "yes," go to question 2. 

2. Did the person making the disclosure state the name of the patient or reveal other 
information from which the patient could be identified? Y_N_ 

If "yes," there was a "disclosure" of patient-identifying infonnation. Go to Section III to 
determine whether the disclosure was authorized. 

If "no," there was no "disclosure" of patient-identifying information. Stop here because 
there was no violation. 

Summary of the Rule 

The Federal regulations generally prohibit programs from disclosing "patient-identifying 
information." "Patient-identifying infonnation" means any information that identifies a patient as 
(i) having applied for or received AOD-related services (diagnosis, treatment, counseling, or 
referral for treatment), or (ii) being an AOD abuser (§ 2.11, 2.12). 

By prohibiting "disclosures," the regulations do not merely refer to explicit statements, such as 
that a specified person is a patient or is an AOD abuser. Rather, the term "disclosure" includes 
implicit disclosures, such as the following: 

• allowing a receptionist to confirm that a particular person is a patient, even if the caller or 
visitor says that he or she is the patient's family member and knows the patient attends 
the program; 

• sending a patient a letter in an envelope that suggests that the addressee may be a patient; 

• faxing a letter revealing or suggesting patient status to the patient's workplace, on the 
program's stationary; 



• faxing any patient-identifying information about a patient to the wrong fax number; 

• leaving a telephone message revealing or suggesting patient status with a patient's 
roommate or on a patient's answering machine where another person may hear the 
message; 

• disclosing the patient's name and the fact that the patient attended a program to a bill 
collection agency, attorney, or a small claims court; 

• having a program counselor appear at a patient's workplace or home and revealing his or 
her relationship with the patient to someone else; 

• disclosing descriptive or anecdotal material from which a patient's identity may be 
inferred (e.g., by referring to a patient as "the Mayor's daughter"); 

• producing and identifying a patient when the police arrive at the program with an arrest 
warrant, but without a valid court order; and 

• pennitting the police to have access to patient records, without first protesting, when the 
police arrive at the program with a search warrant, but without a valid court order. 

The general prohibition against disclosing "patient-identifying information" does not 
mean that programs may never disclose their patients' names. If a program can disclose a 
patient's name, address, or even telephone number without indicating that the person has 
ever applied for or received AOD-related diagnosis, treatment or counseling, the program 
may do so without violating the Federal regulations. Such disclosures are possible 
primarily when the program is part of a larger organization, such as a general hospital, 
and, therefore, can use the name of the hospital when making the disclosure. Similarly, if 
a program has a physician who also maintains a separate office, the physician could make 
a disclosure about a patient without identifying the patient's participation in an AOD 
program. (In doing so, however, providers must be mindful not to violate State laws 
regarding doctor- or therapist-patient privilege.) 

Another way to avoid disclosing patient-identifying information is to make a disclosure 
anonymously. Thus, if a patient threatened to harm his or her spouse, and a court order, 
consent form or other authorization under the regulations could not be feasibly used, the 
program could make an anonymous telephone call to the spouse or even the police. The 
program could disclose the patient's name but not the fact that the patient is in an AOD 
program. Again, the program should be careful not to violate any State laws regarding 
confidential communications between therapists and patients. 

III. IF THERE WAS A DISCLOSURE, WAS THERE PROPER AUTHORIZATION? 
A.CONSENT FORMS 


Issue: Was the disclosure authorized by a valid consent form? 



1. Did the consent fonn contain all the following nine required elements of 42 C.F.R. Part 
2 ? 


• patient's name? Y_N 


• name of the program making the disclosure? Y_N 


• recipient of the infonnation? Y_N 


• purpose of the disclosure? Y_N 


• information to be released? Y N 


• revocation clause? Y_N_ 

If "no," was the patient mandated into the program by the criminal justice system as a 

condition of the disposition of the patient's criminal proceeding? Y_N_ 

If "yes," the consent can be irrevocable for the duration of the patient's criminal justice 
status (unless a State statute provides for an automatic expiration). Mark "O.K." in the 
"yes" blank next to "revocation clause," above. If "no," the consent must state that it is 
revocable. If it does not so state, check "no" in the bla nk next to "revocation clause," 
above. 


• expiration date or condition? Y_N 


• date the consent fonn is signed? Y_N 


• signature of the actual patient (as opposed to the patient’s parent or legal 
representative)? 

If "yes" (meaning that you marked "yes" or "O.K." next to all of the nine elements), go to 
question 1-a. 



If "no," (meaning that at least one "no," was checked next to the nine elements, without a 
corresponding "O.K."), go to question 2. 


a. Is the patient a minor? Y_N_ 

If "yes," go to question 8. 

If "no," go to question 11. 

2. Was any element missing from the consent fonn aside from the patient's signature? Y_ 

N_ 

If "yes," the consent form is not valid. Stop here or detennine whether the disclosure was 
otherwise authorized. 

If "no," go to question 3. 

3. Has the patient been adjudicated incompetent? Y_N_ 

If "yes," go to question 3-a. 

If "no," go to question 4. 

a. Is the form signed by the patient’s guardian or other person authorized under state law to 
act on the patient's behalf? Y_N_ 

If "yes," go to question 11. 

If "no," the consent fonn is not valid. Stop here or determine whether the disclosure was 
otherwise authorized. 

4. Is the patient deceased? Y_N_ 

If "yes," go to question 4-a. 

If "no," go to question 5. 

a. Is the form signed by the executor or administrator of the patient's estate or other personal 
representative appointed under State law or, if none, then the patient's spouse or, if none, 
then by any responsible member of the patient's family? Y_N_ 

If "yes," go to question 11. 

If "no," the consent fonn is not valid. Stop here or determine whether the disclosure was 
otherwise authorized. 

5. Is the patient is a minor? Y_N_ 

If "yes," go to question 6. 

If "no," the consent fonn is not valid. Stop here or determine whether the disclosure was 
otherwise authorized. 



6. Was the disclosure made to the minor's parent, guardian, or other person authorized under 

State law to act on the minor's behalf? Y_N_ 

If "yes," go to question 7. 

If "no," the disclosure was not authorized under the consent rule. Stop here or determine 
whether the disclosure was otherwise authorized. 

7. Is the patient a minor who was applying for services (as opposed to receiving services), 
and the program director determined that the minor applicant: 

(a) lacked capacity to make rational decision on whether to consent to the disclosure and 

(b) that the applicant's situation posed a substantial threat to the life or physical well-being 

of the applicant or any other individual that could be reduced by communicating relevant 
facts to the minor's parent, guardian, or other person authorized under State law to act on 
the minor's behalf? Y_N_ 

If "yes," the disclosure was authorized by the regulations because the minor's consent was 
not necessary. 

If "no," the disclosure was not authorized under the consent rule because other than the 
narrow exception covered in this question, minors must always sign consent forms. Stop 
here or detennine whether the disclosure was otherwise authorized. 

8. Does the State require parental consent for treatment? Y_N_ 

If "yes," go to question 9. 

If "no," the consent fonn need only be signed by the minor. The disclosure was 
authorized under the consent rule. 

9. Was the disclosure made to the minor's parent, guardian, or other person authorized under 

State law to act on the minor's behalf? Y_N_ 

If "yes," the disclosure was authorized under the consent rule. 

If "no," go to question 10. 

10. Did the consent form also contain the signature of the parent, guardian, or other person 

authorized under State law to act on the minor's behalf? Y_N_ 

If "yes," go to question 11. 

If "no," the disclosure was not authorized under the consent rule. Stop here or determine 
whether the disclosure was otherwise authorized. 

11. Does the person whose confidentiality was allegedly breached (or other signatories on the 

consent fonn) claim to have revoked his or her consent, either through an oral or written 
revocation? Y_N_ 

If "yes," go to question 12. 

If "no," go to question 15. 



12. Was the patient mandated into treatment by the criminal justice system as a condition of 

the disposition of the patient's criminal proceeding? Y_N_ 

If "yes," go to question 13. 

If "no," go to question 14. 

13. Does the consent form state that it is irrevocable for a specified period of time? Y_N_ 

If "yes," any purported revocation was not valid. Go to question 15. 

If "no," go to question 14. 

14. Is there any written evidence of such revocation, for example, a notation to that effect on 
the consent form or elsewhere in the patient’s record, or a letter written by the patient? 

Y_N_ 

If "yes," and yet the disclosure was made, the disclosure did not fall under the "consent" 
rule. Stop here or detennine whether the disclosure was otherwise authorized. 

If "no," there should be further investigation to determine whether the patient in fact 
revoked his or her consent. If the investigation reveals that such revocation did occur, 
then the disclosure did not fall under the "consent" rule. Stop here or determine whether 
the disclosure was otherwise authorized. If the investigation reveals that there was no 
revocation, go to question 15. 

15. Was any information on the consent form added or altered after the patient 

signed it? Y_N_ 

If "yes," go to question 16. 

If "no," go to question 17. 

16. Did the patient initial or otherwise give written authorization for the additions or 

changes? Y_N_ 

If "yes," go to question 17. 

If "no," the consent fonn is not valid. Stop here or determine whether the disclosure was 
otherwise authorized. 

17. Was the disclosure within the scope of the consent form? Y_N_ 

If "yes," go to question 18. 

If "no," the disclosure was not authorized by the consent rule. Stop here or detennine 
whether the disclosure was otherwise authorized. 

18. Was the disclosure followed by a notice prohibiting redisclosure? Y_N_ 


If "yes," the disclosure was authorized by the consent rule. 



If "no," the disclosure was not authorized by the consent rule. Stop here or detennine 
whether the disclosure was otherwise authorized. 

Summary of the Rule 

Generally, a program may disclose any information about a patient if the patient authorizes the 
disclosure by signing a valid consent form ('§ 2.31, 2.33). A consent form under the Federal 
regulations is much more detailed than a general medical release. It must contain all of the 
following nine elements. If the form is missing even one of these elements, it is not valid: 

• the name of the patient; 

• the name or general designation of the program making the disclosure; 

• the recipient of the information; 

o Although the recipient should not be as general as an entire agency or department, 
it need not be as specific as the name of an individual. Instead, the consent form 
may describe the recipient's job title and/or job functions. 


o It is pennissible to list more than one recipient on a single consent form and to 
authorize disclosures between and among all the parties listed. When doing such 
multiple-party consents, however, it is important that the "information" and 
"purpose" and all other elements of the form (see below) be the same for all of the 
authorized disclosures. 

• the purpose of the disclosure; 

The purpose should be narrowly described and should correspond with the information to 
be released. The purpose should never be as broad as "for all client care." 

• the infonnation to be released; 

The information should be described as exactly and narrowly as possible in light of the 
purpose of the release. Releases for "any and all pertinent information" are not valid; 

• that the patient understands that he or she may revoke the consent at any time—orally or 
in writing—except to the extent that action has been taken in reliance on it; 

A consent for a patient referred by the criminal justice system, however, may be 
made irrevocable for a period of time (§ 2.35). (But note that some State statutes 
and regulations provide for the automatic expiration of such consents after 60 or 
90 days.) 


o 



o When a patient revokes a consent form, the program is advised to note the date of 
the revocation clearly on the consent fonn and to draw an X through the form. 

the date or condition upon which the consent expires, if it has not been revoked earlier; 

o Although the Federal regulations do not provide for any time limit on the validity 
of a consent form, some State laws provide for the automatic expiration of 
consents after a certain period of time. 

the date the consent form is signed; and 

the signature of the patient. 

o If the patient has died, the executor or administrator of the estate, or if there is 
none, the spouse or, if none, then any responsible member of the patient's family 
may sign (§ 2.15(b)(2)). 

o No consent is needed to disclose information relating to the cause of death to such 
agencies as are empowered to collect vital statistics or inquire into causes of death 
(§ 2.15(b)(1)). 

o If the patient is an adjudicated incompetent, a guardian or other person authorized 
by State law to act on the patient's behalf may sign (§ 2.15(a)(1)). 

o If the patient is a minor, the patient generally must sign the consent form—even if 
the disclosure is to the minor's parent. 

For example, if State law requires a program to obtain a parent's consent in order 
to treat a minor, the minor must sign a consent form authorizing the disclosure to 
the parent (§ 2.14(b)-(c)). The only exception is for minors who are applying for 
AOD services and yet lack the capacity to make a rational decision about whether 
to sign a consent form authorizing a disclosure that the program director 
determines is necessary to reduce a threat to the life or physical well-being of the 
applicant or anyone else (§ 2.14(d)). 

In addition to the minor's signature, the parent's or other legal guardian's signature 
is only required if State law requires parental authorization for treating a minor. If 
the State permits the minor to be treated without the legal guardian's 
authorization, the minor's signature alone may authorize a disclosure (§ 2.14(b)- 
(c)). 

o A client should never sign or be requested to sign a consent fonn before all of the 
blanks have been filled in. 

o If any changes are made to a consent form after a client signs it, the client should 
initial the changes when they are made to indicate that the patient understands and 
agrees to the changes. 



Whenever a disclosure is made pursuant to a consent, it must be accompanied by 
a written notice prohibiting redisclosure (§ 2.32). The written statement, which 
can be in the form of a separate sheet of paper or a rubber stamp on the disclosed 
document, warns the recipient that the information disclosed is protected by 
Federal law and may not be redisclosed except with the patient's consent or under 
other authorization. The language in the warning must be identical to that set forth 
in § 2.32 of the regulations. The prohibition on redisclosure notice must be sent to 
the recipient even if the disclosure was made orally. 

Copies of all consent forms should be kept in the patient's file. 

B. INTERNAL COMMUNICATIONS 

Issue: Was the disclosure an authorized internal communication? 

1. Was the disclosure made to someone: 

• within the program? or Y_N_ 

• in an entity having direct administrative control over a program? Y_N_ 

If the answer to either question is "yes," go to question 2. 

If the answer to both questions is "no," the disclosure did not fall within the internal 
communications rule. Stop here or determine whether the disclosure was otherwise 
authorized. 

2. Did the recipient need the infonnation in connection with his or her duties arising out of 
the provision of AOD abuse diagnosis, counseling, treatment, or referral for treatment? 

Y_N_ 

If "yes," the disclosure was authorized by the internal communications rule. (If the 
disclosure was made to an entity having direct administrative control over a program, see 
Section V to detennine whether the administrative entity complied with the law.) 

If "no," the disclosure did not fall within the internal communications rule. Stop here or 
determine whether the disclosure was otherwise authorized. 

Summary of the Rule 

Patient-identifying infonnation may be disclosed within a program, or to an entity having direct 
administrative control over a program, if the recipient of the disclosure needs the information in 
connection with his or her duties arising out of the provision of AOD abuse diagnosis, 
counseling, treatment, or referral for treatment (§ 2.12(c)(3)). 



"Within the program" means within the organization or organizational unit that provides AOD- 
related services. Thus for entities that only provide AOD treatment in part, they may only share 
patient-identifying information within that part. For example, the staff of a detoxification unit 
within a hospital may share patient-identifying information with one another—and with hospital 
administrators with direct supervisory oversight for the program—where such sharing of 
information is needed to provide AOD-related services to the program's patients. The program 
may also share infonnation, as necessary, with, for example, the hospital's recordkeeping or 
billing departments, because those administrative units are integral to the program's functioning. 
However, the program may not freely share patient-identifying information with other parts or 
units of the hospital (because they are not part of the "program" or an entity with direct 
administrative control over the program). Note, however, that such communications are possible 
with the patient's proper consent (see Section I.A). 

Anyone within or in direct administrative control of a program that receives patient-identifying 
information is bound by the confidentiality regulations and may not redisclose the information 
except as allowed by the regulations (§ 2.12(d)(2)(ii)). 

C. QUALIFIED SERVICE ORGANIZATION AGREEMENTS 

Issue: Was the disclosure made pursuant to a qualified service organization agreement (QSOA)? 

1. Was the alleged disclosure made to an entity (individual or agency) that provides services 

to the program (a "service organization")? Y_N_ 

If "yes," go to question 2. 

If "no," the disclosure did not fall within the QSOA rule. Stop here or determine whether 
the disclosure was otherwise authorized. 

2. Did the outside service organization have a written agreement with the program (a 

"QSOA")? Y_N_ 

If "yes," go to question 3. 

If "no," the disclosure did not fall under the QSOA rule. Stop here or detennine whether 
the disclosure was otherwise authorized. 

3. Did the QSOA state that in receiving patient-identifying information, the qualified 
service organization: 

• became bound by the Federal confidentiality regulations? and Y_N_ 

• agreed to resist injudicial proceedings, if necessary, any unauthorized efforts to 

obtain access to patient records? Y_N_ 


If the answer to both questions is "yes," go to question 4. 

If the answer to either question is "no," the QSOA was not valid. Stop here or detennine 
whether the disclosure was otherwise authorized. 




4. Was the service organization that received the information also an AOD program? Y_ 

N_ 

If "yes," go to question 5. 

If "no," the program’s disclosure was authorized by the QSOA rule. (See Section V to 
determine whether the qualified service organization redisclosed the infonnation in 
violation of the regulations.) 

5. Did the service organization that is also an AOD program need the information to 

perform an AOD-related service? Y_N_ 

If "yes," the QSOA was not proper, according to a legal opinion issued by the 
Department of Health and Human Services (DHHS). Stop here or determine whether the 
disclosure was otherwise authorized. 

If "no," the program's disclosure was authorized by the QSOA rule. (See Section V to 
determine whether the qualified service organization redisclosed the infonnation in 
violation of the regulations.) 

Summary of the Rule 

Programs may disclose patient-identifying information to a "qualified service organization" 
without the patient's consent (§ 2.12(c)(4)). A "qualified service organization" is a person or 
agency that provides services to the program, such as data processing, dosage preparation, 
laboratory analyses, vocational counseling, or legal, medical, accounting, or other professional 
services that the program does not provide for itself. 

The department of health can also be a "service organization" if it provides health-related 
services to the program. Examples of such services include offering tests for HIV, tuberculosis, 
and sexually transmitted diseases; providing treatment for communicable diseases; or monitoring 
the patient's case to ensure that he or she is receiving treatment. Managed care companies can, in 
limited circumstances, also be "service organizations," provided they are providing a service, 
such as legal, medical, accounting, or laboratory services. For example, if individuals enrolled in 
a managed care program can receive AOD treatment from any certified AOD program, but must 
receive primary health care from the managed care provider's staff physicians, the managed care 
provider could be considered a "service organization"; it is rendering medical services. 

In order to receive patient-identifying information, the "service organization" must enter into a 
written agreement with the program in which it acknowledges that it is bound by the Federal 
confidentiality regulations, promises not to redisclose patient-identifying information to which it 
becomes privy, and promises to resist unauthorized efforts to gain access to any patient- 
identifying information in its possession (§ 2.11). 

Once the program and the outside agency have entered into this QSOA, the program may freely 
communicate information from patient records to the "qualified service organization," but only 
that infonnation that is specified in the QSOA and that is needed by the organization to provide 
services to the program. 



Although AOD programs may enter into QSOAs with a variety of outside organizations, they are 
not permitted—according to a legal opinion of the DHHS—to enter into them with one another 
(unless the services offered by one of the programs does not pertain to AOD-related services) or 
with law enforcement agencies. 

A program is not required to inform its patients of the QSOAs to which it is a party. 

D.MEDICAL EMERGENCIES 
Issue: Was the disclosure made properly in a medical emergency? 

1. Was the alleged disclosure made: 

• in response to an immediate threat to the health of any individual? Y_N_ 

• because of the need for immediate medical intervention?Y_N_ 

• to medical personnel? and Y_N_ 

• to someone who needed the patient-identifying information to treat the medical 

emergency?Y_N_ 


If the answer to all of these questions is "yes," go to question 2. 

If the answer to any of these questions is "no," the disclosure did not fall under the 
medical emergency rule. Stop here or determine whether the disclosure was otherwise 
authorized. 

2. After making the disclosure, did the program document in the patient's record the name 
of the recipient and his or her affiliation with any health care facility, the name of the 
individual making the disclosure, the date and time of the disclosure, and the nature of 
the emergency? Y_N_ 

If "yes," the disclosure was proper under the medical emergency rule. 

If "no," the disclosure did not fall under the medical emergency rule. Stop here or 
determine whether the disclosure was otherwise authorized. 

Summary of the Rule 

Even without consent, patient-identifying information may be disclosed to medical personnel in 
a medical emergency (§ 2.51). 


A medical emergency is a situation that poses an immediate threat to the health of any individual 
(it need not be the patient) and requires immediate medical intervention. Typical examples of a 



medical emergency include a suicide threat, a drug overdose, or a patient with active and 
infectious tuberculosis who is not taking his or her medications. 

This rule pennits the program to release patient-identifying information to medical personnel 
who need the information to treat the medical condition. The program may not use the medical 
emergency rule to contact family members or the police. When releasing information pursuant to 
a medical emergency, programs must document the disclosure in the patient's record, setting 
forth the name of the recipient and his or her affiliation with any health care facility, the name of 
the individual making the disclosure, the date and time of the disclosure, and the nature of the 
emergency (§ 2.51(c)). 

E.CRIMES ON PROGRAM PREMISES OR AGAINST PROGRAM 
PERSONNEL 

Issue: Was the disclosure made in response to a crime on program premises or against program 
personnel? 

1. Was the disclosure made in response to a crime or threatened crime: 

• on the program premises (against anyone)? Y_N_ 


• against program personnel (anywhere)? Y_N_ 

If the answer to either question is "yes," go to question 2. 

If the answer to both questions is "no," the disclosure did not fall under the crime on 
program premises or against program personnel rule. Stop here or determine whether the 
disclosure was otherwise authorized. 

2. Was the disclosure limited to the circumstances of the incident, including the patient’s 
name, address, last known whereabouts, and patient status? Y_N_ 

If "yes," the disclosure was authorized by the rule. 

If "no," the disclosure did not fall within the rule. Stop here or determine whether the 
disclosure was otherwise authorized. 

Summary of the Rule 

The regulations permit a program to release patient-identifying information to the police if a 
patient commits or threatens to commit a crime either (i) on the premises (against anyone) or (ii) 
against program staff anywhere. 


When reporting such a crime, in addition to the particulars of the crime, the program may give 
the police the patient's name, address, and last known whereabouts. The program may not release 



to the police the names of other patients who were victims or witnesses to the crime without 
those patients' prior written consent. 


This rule does not authorize disclosure of a patient's confession to a past crime unless the crime 
was on the program premises or against program personnel. 

F. MANDATED REPORTS OF CHILD ABUSE OR NEGLECT 

Issue: Was the disclosure authorized by the child abuse reporting rule? 

1. Was the disclosure required under the state's child abuse and neglect reporting law? Y_ 

N_ 

If "yes," go to question 2. 

If "no," the disclosure did not fall under the child abuse reporting rule. Stop here or 
determine whether the disclosure was otherwise authorized. 

2. Did the disclosure include only the initial report and/or a confirmation of that report? Y_ 

N_ 

If "yes," the disclosure was authorized by the child abuse reporting rule. 

If "no," the disclosure was broader than that pennitted under the child abuse reporting 
rule and, therefore, not permitted. Stop here or detennine whether the disclosure was 
otherwise authorized. 

Summary of the Rule 

In 1987, the regulations were amended to permit AOD programs to comply with State laws 
requiring people in certain positions or occupations to report cases of suspected child abuse or 
neglect. Accordingly, the regulations "do not apply to the reporting under State law of incidents 
of suspected child abuse and neglect to the appropriate State or local authorities" (§ 2.12(c)(6)). 

Under this rule, program staff may make reports to local child abuse hotlines and even confirm 
the reports in writing. However, the program's disclosures must stop there. The regulations 
continue "to apply to the original alcohol or drug abuse patient records maintained by the 
program including their disclosure and use for civil or criminal proceedings which may arise out 
of the report of suspected child abuse and neglect." This means that although a program may 
make State-mandated child abuse reports, patient files must be withheld from child protection 
agencies absent patient consent or a court order. 

G. RESEARCH 

Issue: Was the disclosure authorized under the research rule? 

1. Was the disclosure made to someone doing research? Y_N_ 



If "yes," go to question 2. 

If "no," the disclosure did not fall within the research rule. Stop here or determine 
whether the disclosure was otherwise authorized. 

2. Before the program made the disclosure, did the director determine: 

• that the researcher was qualified? Y_N_ 


• that the researcher had a protocol under which the security of patient records was 

assured (per §2.16)? and Y_N_ 

• that patient-identifying information would not be redisclosed? Y_N_ 

If the answer to all of the above questions is "yes," go to question 3. 

If the answer to any of the above questions is "no," the disclosure did not fall within the 
research rule. Stop here or detennine whether the disclosure was otherwise authorized. 

3. Did the researcher provide a written statement that three or more independent evaluators 
had reviewed the research protocol and determined that: 

• the rights and welfare of the patients concerned would be adequately protected? 
and Y N 


• the potential benefits of the research outweighed the risks to patient 
confidentiality? Y_N_ 

If the answer to both of the above questions is "yes," the program’s disclosure was 
authorized by the research rule. (See Section V to determine whether the researcher also 
complied with the law.) 

If the answer to either of the above questions is "no," the disclosure did not fall within the 
research rule. Stop here or detennine whether the disclosure was otherwise authorized. 

Summary of the rule 

A program may allow a researcher to have access to its patients' records under the following 
circumstances: 


First, the program director must determine (i) that the researcher is qualified, (ii) that the 
researcher has a protocol under which the security of patient records is assured (per § 2.16), and 
(iii) that patient-identifying information will not be redisclosed. 



In addition, the researcher must provide a written statement that three or more independent 
evaluators have reviewed the research protocol and detennined that the rights and welfare of the 
patients concerned will be adequately protected and that the potential benefits of the research 
outweigh the risks to patient confidentiality (§ 2.52(a)). 

If a researcher satisfies the above standard, the researcher may proceed but is barred from 
redisclosing patient-identifying information except back to the program itself. No report may 
identify any individual patient (§ 2.52(b)). 

H. AUDIT AND EVALUATION 

Issue: Was the disclosure authorized under the audit and evaluation rule? 

1. Was the disclosure made to any of the following: a Government agency that funds or 
regulates the program? Y_N_ 

• a private person or agency that provides financial assistance or third-party 
payments to the program? Y_N_ 


• a peer-review organization that perfonns utilization or quality control 
review? or Y N 


• a person that the program director detennined to be "qualified" to conduct the 
audit or evaluation? Y N 


If the answer to any of the questions is "yes," go to question 2. 

If the answer to all of the questions is "no," the disclosure did not fall within the audit and 
evaluation rule. Stop here or detennine whether the disclosure was otherwise authorized. 

2. Was the purpose of the disclosure to enable the oversight entity to conduct the audit or 
evaluation of the program? Y N 

If "yes," go to question 3. 

If "no," the disclosure did not fall within the audit and evaluation rule. Stop here or 
determine whether the disclosure was otherwise authorized. 

3. Did the auditor or evaluator agree in writing that it would redisclose patient-identifying 
information only: 


back to the program? or Y_N 



• to a Government agency that is overseeing a Medicare or Medicaid audit or 

evaluation? Y_N_ 

If the answer to both questions is "yes," go to question 4. 

If the answer to either question is "no," the disclosure did not fall within the audit and 
evaluation rule. Stop here or detennine whether the disclosure was otherwise authorized. 

4. Did the auditor or evaluator agree in writing to use the information only: 

• for the audit or evaluation? or Y N 


• pursuant to a court order to investigate or prosecute the program (not a 

patient)? Y_N_ 

If the answer to both questions is "yes," go to question 5. 

If the answer to either question is "no," the disclosure did not fall within the audit and 
evaluation rule. Stop here or detennine whether the disclosure was otherwise authorized. 

5. Did the program copy for or give the auditor or evaluator any records containing patient- 

identifying information for the auditor or evaluator to remove from the program 
premises? Y_N_ 

If "yes," go to question 6. 

If "no," stop here because the program's disclosure to the auditor or evaluator was 
authorized by the audit and evaluation rule. 

6. Was the auditor or evaluator a: 

• Government agency that funds or regulates the program? Y_N_ 


• private person or agency that provides financial assistance or third-party payments 
to the program? or Y_N_ 


• peer-review organization that performs utilization or quality control review? Y 
N 


If the answer to any of the above questions is "yes," go to question 7. 



If the answer to all of the above questions is "no" (i.e., the auditor or evaluator was 
merely someone whom the director determined was "qualified" to conduct an audit or 
evaluation), the program was not authorized, under the audit and evaluation exception, to 
pennit the auditor or evaluator to copy or remove records. Stop here or detennine 
whether the disclosure was otherwise authorized. 

7. Prior to copying or removing patient records, did the auditor or evaluator agree in writing 
to: 

• maintain the patient-identifying infonnation in accordance with the security 
requirements provided in § 2.16 of the regulations (or more stringent 
requirements)? Y_N_ 


• destroy all patient-identifying information upon completion of the audit or 
evaluation? and Y N 


• comply with the limitations on disclosure and use specified in § 2.53(d)? (Section 
2.53(d) provides that any person or organization that conducts an audit or 
evaluation must agree in writing that it will redisclose patient-identifying 
information only (i) back to the program or (ii) to a Government agency that is 
overseeing a Medicare or Medicaid audit or evaluation. Such person or 
organization must also agree in writing to use the infonnation only for the audit or 
evaluation or pursuant to a court order to investigate or prosecute the program 
(not a patient).) Y_N_ 

If the answer to all of the above questions is "yes," the program was authorized, under the 
audit and evaluation rule to permit the copying or removal of records. (See Section V to 
determine whether the auditor or evaluator complied with the regulations.) 

If the answer to any of the above questions is "no," the program was not authorized under 
the audit and evaluation rule to permit the copying or removal of records. You may 
determine whether the disclosure was authorized under another rule. In addition, see 
Section V to detennine whether the auditor or evaluator complied with the regulations. 

Summary of the Rule 

Government agencies that fund or regulate a program, private persons that provide financial 
assistance or third-party payments to a program, peer-review organizations that perfonn 
utilization or quality control review, and persons whom the program director determines are 
"qualified" may have access to program records for audits or evaluations of the program (§ .53). 
Examples of such funding or oversight agencies include Government agencies that administer 
the Medicaid program and that contract with AOD programs, insurance and managed care 
companies, and State agencies that license and regulate AOD programs. 



Any person or organization that conducts an audit or evaluation must agree in writing that it will 
redisclose patient-identifying information only (i) back to the program, or (ii) to a Government 
agency that is overseeing a Medicare or Medicaid audit or evaluation. Such person or 
organization also must agree in writing to use the infonnation only for the audit or evaluation or 
pursuant to a court order to investigate or prosecute the program (not a patient) (§ 2.53(c) and 
(d)). 

The agencies listed in the first paragraph above also may copy or remove records, but only if 
they agree in writing to (i) safeguard the confidentiality of patient-identifying infonnation in 
accordance with the security requirements of § 2.16 of the regulations (or more stringent 
requirements), (ii) destroy all such information on completion of the audit or evaluation, (iii) 
redisclose patient-identifying information back to the program or to a Government agency that is 
overseeing a Medicaid or Medicare audit or evaluation, and (iv) not use the information except 
for purposes of the audit or evaluation or to investigate or prosecute criminal or other activities 
as authorized by a court order entered under § 2.66 (§ 2.53(b)-(d)). Thus a State regulatory 
agency could not obtain patient records pursuant to an audit and then store them permanently on 
a computer database. 

Any other person or organization detennined by the program director to be "qualified" and that 
pledges in writing to observe the restrictions on redisclosure and use that are specified two 
paragraphs above may also inspect patient records for audit or evaluation purpose without 
consent. Only the agencies listed in the first paragraph, however, may copy or remove records. 

I. COURT ORDERS 

Issue: Was the disclosure made in response to a valid court order? 

1. Did the program make the disclosure in response to an order that states it was issued 

under the Federal confidentiality regulations (42 C.F.R. Part 2) and was signed or issued 
by a court? Y_N_ 

If "yes," go to question 2. 

If "no," the disclosure did not fall under the court order rule. (Recall that a subpoena, 
search warrant, or arrest warrant, in and of itself, is not a court order that meets the 
requirements of 42 C.F.R. Part 2. For arrest or search warrants, proceed to Section IV to 
determine whether the program's response was proper.) Stop here or detennine whether 
the disclosure was otherwise authorized. 

2. Did the program itself apply for the court order (as opposed to a third party who wanted 

the infonnation from the program)? Y_N_ 

If "yes," go to question 3. 

If "no," go to question 7. 

3. Did the program's application use a fictitious name for the patient? Y_N_ 



If "yes," go to question 5. 

If "no," go to question 4. 

4. Did the patient sign a valid consent authorizing the use of his or her name in the 

application? Y_N_ 

If "yes," go to question 5. 

If "no," the application for the court order was not authorized by the court order rule. 
Stop here or determine whether it was otherwise authorized by the regulations. 

5. Did the program give the patient adequate notice of the application for the court order as 

well as an opportunity to make a written response or to appear in person for the limited 
purpose of responding to the application? Y_N_ 

If "yes," go to question 7. 

If "no," go to question 6. 

6. Was the disclosure sought for the purpose of investigating or prosecuting the patient for 

crime? Y_N_ 

If "yes," the program did not need to give the patient notice. Go to question 7. 

If "no," stop here because the failure to provide the notice renders the program's 
application improper under the regulations, or determine whether the disclosure was 
otherwise authorized. 

7. Did the program disclose only that information described in the court order? Y_N_ 

If "yes," the disclosure was authorized by the court order rule. 

If "no," the program’s disclosure was broader than that allowed under the "court order" 
rule and, therefore, not permitted. Stop here or detennine whether the disclosure was 
otherwise authorized. 

Summary of the Rule 

A Federal, State, or local court may authorize a program to make a disclosure of patient- 
identifying information. A court may issue such an order, however, only after following certain 
procedures and making certain detenninations specified in the regulations (§ 2.63-2.67). A 
subpoena, search warrant, or arrest warrant, even when it is signed by a judge, is not sufficient, 
by itself, to require or even permit a program to make a disclosure (§ 2.61). 

For guidance on how to respond to search and arrest warrants, see Section IV. When faced with 
subpoena, a program may contact the patient referenced in the subpoena and seek the patient's 
consent to release the subpoenaed information. Alternatively, a program may contact the party 
that issued the subpoena and attempt to persuade the party to seek a proper court order. If that 
fails, the program could move to quash the subpoena. 



With respect to court orders, the applicant for the court order must follow certain procedures, 
such as using a fictitious name, like John Doe, to refer to any patient (unless the patient has 
consented to the use of his or her real name). In addition, the applicant generally must give the 
program and the patient "adequate notice" of an opportunity to file a written response to the 
application or appear in person for the limited purpose of responding to the application (§ 2.64(a) 
and (b)). If the court order was requested in order to criminally investigate or prosecute a patient, 
however, the patient need not receive notice. (§ 2.65) Likewise, if the court order was requested 
in order to criminally prosecute or investigate the program, the program need not receive notice 
(§ 2 . 66 ). 

This checklist is limited to those requirements for which AOD programs can properly be held 
accountable (i.e., the program made no disclosure until and unless a court ordered it to do so 
under the Federal regulations, and the program only disclosed the infonnation listed in the court 
order). (The AOD program and its lawyer also are responsible for properly filing a request for a 
court order if the program initiates the application.) AOD programs cannot be held accountable 
for procedural or substantive errors made by a court, prosecuting attorney, and so on. This is not 
to suggest, however, that the program should not take steps to ensure that a third party who seeks 
a court order has followed the proper procedures, such as providing proper notice and holding a 
hearing with respect to whether the disclosure should be made. Furthermore, the program and/or 
the patient concerned could file an appeal if the court issued the order improperly. 

IV. RESPONDING TO SEARCH AND ARREST WARRANTS 

Issue: Did the AOD program respond appropriately to a search or arrest warrant? 

1. When law enforcement officials contacted the program, did the program attempt to 

persuade the officials to obtain a court order (as discussed in Section III.I)? Y_N_ 

If "yes," go question 2. 

If "no," there may have been a violation of the regulations if the program provided 
patient-identifying information. 

2. If the law enforcement officials insisted on entry, did the program either: 

• point out the patient sought in the arrest warrant? or Y_N_ 


• provide the records sought in the search warrant? Y_N_ 

If the answer to either question is "yes," there may have been a violation of the 
regulations. 

If the answer to both questions is "no," there likely was no violation of the regulations. 


Summary of the Rule 



As discussed in Section III.I, neither a search warrant nor an arrest warrant, in and of itself, 
constitutes the type of court order authorized under the regulations. Consequently, programs may 
not disclose patient-identifying infonnation in response to such warrants. 

On the other hand, the regulations do not require a program to forcibly resist a law enforcement 
officer who insists on entry. The DHHS has ruled that when faced with an arrest or search 
warrant without a valid court order, programs generally should: 

• produce a copy of the regulations and explain that they cannot cooperate with law 
enforcement unless they obtain a court order; 

• try to get time to notify a lawyer; 

• ask to contact the prosecuting attorney or commanding officer so that the program can 
repeat its arguments; and 

• try other appeals to reason. 

If all of the above fail, programs should not forcibly resist. They may permit the law enforcement 
officials to enter, but they should not point out the patient sought in the arrest warrant or the 
records sought in the search warrant. 

V. DISCLOSURES BY THIRD PARTIES 

Issue: Did a third party who received patient-identifying information from an AOD program 
redisclose it without authorization? 

Third-Party Payers 

1. Did a third-party payer (e.g., insurance company) redisclose patient-identifying 

information it received from a program? 1 Y_N_ 

If "yes," go to question 2. 

If "no," go to question 4. 

2. Did the third-party payer receive the patient-identifying information pursuant to the audit 

and evaluation rule? Y_N_ 

If "yes," go to question 11. 

If "no," go to question 3. 

3. Was the redisclosure authorized by one of the rules discussed in Section III? Y_N_ 


If "yes," the redisclosure was authorized by the regulations. 

If "no," stop here because the redisclosure was not authorized by the regulations. 



Entities With Administrative Control Over Programs 


4. Did an entity with administrative control over a program redisclose patient-identifying 

information it received from the program (pursuant to the internal communications rule 
discussed in Section III.B)? Y_N_ 

If "yes," go to question 5. 

If "no," go to question 6. 

5. Was the redisclosure authorized by one of the rules discussed in Section III? Y_N_ 

If "yes," the redisclosure was authorized by the regulations. 

If "no," stop here because the redisclosure was not authorized by the regulations. 

Consent 

6. Did a third party redisclose patient-identifying information that it received from an AOD 

program pursuant to a valid consent form (discussed in Section III. A)? Y_N_ 

If "yes," go to question 7. 

If "no," go to question 8. 

7. Did the third party receive a "notice prohibiting redisclosure" from the AOD program? 

Y_N_ 

If "yes," the third party's redisclosure was not authorized by the consent rule. Stop here or 
consult the other parts of Section III to detennine whether the disclosure was otherwise 
authorized. 

If "no," the redisclosure was authorized and the third party was not bound by the 
regulations unless the third party was also bound by a QSOA or the research or audit and 
evaluation rules. Go to question 8 to detennine whether any of those rules apply. 

QSOAs 

8. Did a third party redisclose patient-identifying information that it received from an AOD 

program pursuant to a QSOA (discussed in Section III.C)? Y_N_ 

If "yes," the redisclosure was not authorized by the QSOA rule. Stop here or consult the 
other parts of Section III to determine whether the disclosure was otherwise authorized. 

If "no," go to question 9. 

Research 

9. Did a third party redisclose patient-identifying information that it received from an AOD 

program under the "research" rule (discussed in Section III.G)? Y_N_ 



If "yes," go to question 10. 
If "no," go to question 11. 


10. Did the third-party researcher: 

• redisclose patient-identifying information to someone other than back to the 
program itself? Y_N_ 


• issue a report that identified any individual patient? Y_N_ 

If the answer to either question is "yes," the third party's redisclosure was not authorized 
by the research rule (see Section III.G). Stop here or consult the other parts of Section III 
to determine whether the disclosure was otherwise authorized. 

If the answer to both questions is "no," stop here because the third-party researcher did 
not violate the regulations. 

Audit and Evaluation 

11. Did a third party redisclose patient-identifying information that it received from an AOD 

program pursuant to the audit and evaluation rule (discussed in Section III.H)? Y_N_ 

If "yes," go to question 12. 

If "no," stop here because the regulations do not apply. 

12. Did the third-party auditor or evaluator comply with the written agreement (see Summary 
of the Rule for Section III.H to: 

• redisclose patient-identifying information only (i) back to the program or (ii) to a 
Government agency overseeing a Medicare or Medicaid audit or evaluation? and 
Y N 


• use the information only for the audit or evaluation or pursuant to a court order to 
investigate or prosecute the program? Y_N_ 

If the answer to both questions is "yes," go to question 13. 

If the answer to either question is "no," the auditor or evaluator violated the regulations. 

13. Did the auditor or evaluator copy or remove patient records from the program? Y_N_ 

If "yes," go to question 14. 

If "no," stop here because the auditor or evaluator complied with the regulations. 



14. Did the auditor or evaluator comply with the written agreement (see Summary of the Rule 
for Section III.4) to: 

• maintain the patient-identifying infonnation in accordance with the security 
requirements provided in § 2.16 of the regulations (or more stringent 
requirements)? Y_N_ 


• destroy all patient-identifying information on completion of the audit or 
evaluation? and Y N 


• comply with the limitations on disclosure and use specified in § 2.53(d)? Y_ 

N_ 

If the answer to all of the questions is "yes," the auditor's or evaluator's copying or 
removal of records was authorized by the audit and evaluation rule. 

If the answer to any of the questions is "no," the auditor's or evaluator's copying or 
removal of records was not authorized by the audit and evaluation rule. Stop here or 
consult the other parts of Section III to determine whether the copying or removal of 
records was otherwise authorized. 

Summary of the Rule 

As discussed in Sections III.A, C, G, and H, third parties who receive patient-identifying 
information from AOD programs pursuant to consent forms, QSOAs, or the research or audit and 
evaluation rules are generally prohibited from redisclosing it. This section will not repeat the 
details regarding redisclosure under these rules (see Summary of the Rule for Sections III.A, C, 
G, and H). 

In addition, the regulations require third-party payers who receive patient-identifying 
information from programs to comply with the regulations, regardless of whether they received a 
notice prohibiting redisclosure (§ 2.12(d)(2)(i)). 

Likewise, entities with direct administrative control over programs, which receive infonnation 
from programs pursuant to the internal communications' exception (see Section III.B), must 
abide by the disclosure restrictions in the regulations (§ 2.12(d)(2)(ii). 

Note, however, that the prohibitions against redisclosing information obtained from an AOD 
program apply to the infonnation actually received from the AOD program and not from the 
patient. For example, if a third party receives patient-identifying infonnation from an AOD 
program, and the patient self-discloses the identical information to the third party, the third party 
can redisclose the information. This is because the third party is not redisclosing information it 



received pursuant to the consent form or QSOA, but rather, information it received from the 
patient. 


Appendix A—The Confidentiality Law (42 
U.S.C. § 290dd-2) 

This statute, which Congress enacted in 1992, consolidates and replaces (without substantive 
change) the two separate but identical laws Congress originally enacted to govern the 
confidentiality of alcohol abuse patient records (previously codified as 42 U.S.C. § 290dd-3) and 
drug abuse patient records (previously codified as 42 U.S.C. § 290ee-3). (The text of those laws, 
now replaced by this 1992 statute, is set out in § 2.1 of the confidentiality regulations that are 
reprinted in the following pages.) The term "substance abuse" in the current law refers to both 
alcohol and drug abuse. The regulations themselves were not revised as a result of Congress' 

1992 consolidation but were revised slightly in 1995. The revised regulations appear on page 30. 

§ 290dd-2: Confidentiality of Records 

(a) Requirement 

Records of the identity, diagnosis, prognosis, or treatment of any patient that are maintained in 
connection with the performance of any program or activity relating to substance abuse 
education, prevention, training, treatment, rehabilitation, or research, which is conducted, 
regulated, or directly or indirectly assisted by any department or agency of the United States 
shall, except as provided in subsection (e) of this section, be confidential and be disclosed only 
for the purposes and under the circumstances expressly authorized under subsection (b) of this 
section. 

(b) Permitted disclosure 

(1) Consent 

The content of any record referred to in subsection (a) of this section may be disclosed in 
accordance with the prior written consent of the patient with respect to whom such record is 
maintained, but only to such extent, under such circumstances, and for such purposes as may be 
allowed under regulations prescribed pursuant to subsection (g) of this section. 

(2) Method for disclosure 

Whether or not the patient, with respect to whom any given record referred to in subsection (a) of 
this section is maintained, gives written consent, the content of such record may be disclosed as 
follows: 




(A) To medical personnel to the extent necessary to meet a bona fide medical emergency. 

(B) To qualified personnel for the purpose of conducting scientific research, management 
audits, financial audits, or program evaluation, but such personnel may not identify, 
directly or indirectly, any individual patient in any report of such research, audit, or 
evaluation, or otherwise disclose patient identities in any manner. 

(C) If authorized by an appropriate order of a court of competent jurisdiction granted 
after application showing good cause therefor, including the need to avert a substantial 
risk of death or serious bodily harm. In assessing good cause the court shall weigh the 
public interest and the need for disclosure against the injury to the patient, to the 
physicianBpatient relationship, and to the treatment services. Upon the granting of such 
order, the court, in detennining the extent to which any disclosure of all or any part of 
any record is necessary, shall impose appropriate safeguards against unauthorized 
disclosure. 

(c) Use of records in criminal proceedings 

Except as authorized by a court order granted under subsection (b)(2)(C) of this section, no 
record referred to in subsection (a) of this section may be used to initiate or substantiate any 
criminal charges against a patient or to conduct any investigation of a patient. 

(d) Application 

The prohibitions of this section continue to apply to records concerning any individual who has 
been a patient, irrespective of whether or when such individual ceases to be a patient. 

(e) Nonapplicability 

The prohibitions of this section do not apply to any interchange of records— 

(1) within the Armed Forces or within those components of the Department of Veterans 
Affairs furnishing health care to veterans; or 

(2) between such components and the Armed Forces. 

The prohibitions of this section do not apply to the reporting under State law of incidents of 
suspected child abuse and neglect to the appropriate State or local authorities. 

(f) Penalties 

Any person who violates any provision of this section or any regulation issued pursuant to this 
section shall be fined in accordance with Title 18. 

(g) Regulations 

Except as provided in subsection (h) of this section, the Secretary shall prescribe regulations to 
carry out the purposes of this section. Such regulations may contain such definitions, and may 
provide for such safeguards and procedures, including procedures and criteria for the issuance 



and scope of orders under subsection (b)(2)(C) of this section, as in the judgment of the 
Secretary are necessary or proper to effectuate the purposes of this section, to prevent 
circumvention or evasion thereof, or to facilitate compliance therewith. 

(h) Application to Department of Veterans Affairs 

The Secretary of Veterans Affairs, acting through the Under Secretary for Health, shall, to the 
maximum feasible extent consistent with their responsibilities under Title 38, prescribe 
regulations making applicable the regulations prescribed by the Secretary of Health and Human 
Services under subsection (g) of this section to records maintained in connection with the 
provision of hospital care, nursing home care, domiciliary care, and medical services under such 
Title 38 to veterans suffering from substance abuse. In prescribing and implementing regulations 
pursuant to this subsection, the Secretary of Veterans Affairs shall, from time to time, consult 
with the Secretary of Health and Human Services in order to achieve the maximum possible 
coordination of the regulations, and the implementation thereof, which they each prescribe. 

1995 Revisions 

Federal Register, Vol. 60, No. 87, May 5, 1995 

In § 2.11, the definition of Program is revised to read as follows: 

§ 2.11 Definitions. 




Program means: 

(a) An individual or entity (other than a general medical care facility) who holds itself out 
as providing, and provides, alcohol or drug abuse diagnosis, treatment, or referral for 
treatment; or 

(b) An identified unit within a general medical facility which holds itself out as 
providing, and provides, alcohol or drug abuse diagnosis, treatment, or referral for 
treatment; or 

(c) Medical personnel or other staff in a general medical care facility whose primary 
function is the provision of alcohol or drug abuse diagnosis, treatment, or referral for 
treatment and who are identified as such providers. (See § 2.12(e)(1) for examples.) 

Section 2.12(e)(1) is amended by adding the following sentence at the end to read as follows: 
§2.12 Applicability. 





(e)***(l)*** However, these regulations would not apply, for example, to emergency room 
personnel who refer a patient to the intensive care unit for an apparent overdose, unless the 
primary function of such personnel is the provision of alcohol or drug abuse diagnosis, treatment, 
or referral and they are identified as providing such services or the emergency room has 
promoted itself to the community as a provider of such services. 

Subpart A— Introduction 

[42 C.F.R. Subpart A, § 2.1B2.5, as of May 9, 1996] 

§2.1 Statutory authority for confidentiality of drug abuse patient records. 

The restrictions of these regulations upon the disclosure and use of drug abuse patient records 
were initially authorized by section 408 of the Drug Abuse Prevention, Treatment, and 
Rehabilitation Act (21 U.S.C. 1175). That section as amended was transferred by Pub. L. 98-24 
to section 527 of the Public Health Service Act which is codified at 42 U.S.C. 290ee-3. The 
amended statutory authority is set forth below: 

§ 290EE-3. CONFIDENTIALITY OF PATIENT RECORDS. 

(a) Disclosure authorization 

Records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in 
connection with the performance of any drug abuse prevention function conducted, regulated, or 
directly or indirectly assisted by any department or agency of the United States shall, except as 
provided in subsection (e) of this section, be confidential and be disclosed only for the purposes 
and under the circumstances expressly authorized under subsection (b) of this section. 

(b) Purposes and circumstances of disclosure affecting consenting patient and patient regardless 
of consent 

(1) The content of any record referred to in subsection (a) of this section may be disclosed in 
accordance with the prior written consent of the patient with respect to whom such record is 
maintained, but only to such extent, under such circumstances, and for such purposes as may be 
allowed under regulations prescribed pursuant to subsection (g) of this section. 

(2) Whether or not the patient, with respect to whom any given record referred to in subsection 
(a) of this section is maintained, gives his written consent, the content of such record may be 
disclosed as follows: 

(A) To medical personnel to the extent necessary to meet a bona fide medical emergency. 

(B) To qualified personnel for the purpose of conducting scientific research, management audits, 
financial audits, or program evaluation, but such personnel may not identify, directly or 
indirectly, any individual patient in any report of such research, audit, or evaluation, or otherwise 
disclose patient identities in any manner. 



(C) If authorized by an appropriate order of a court of competent jurisdiction granted after 
application showing good cause therefor. In assessing good cause the court shall weigh the 
public interest and the need for disclosure against the injury to the patient, to the physician- 
patient relationship, and to the treatment services. Upon the granting of such order, the court, in 
determining the extent to which any disclosure of all or any part of any record is necessary, shall 
impose appropriate safeguards against unauthorized disclosure. 

(c) Prohibition against use of record in making criminal charges or investigation ofpatient 

Except as authorized by a court order granted under subsection (b)(2)(C) of this section, no 
record referred to in subsection (a) of this section may be used to initiate or substantiate any 
criminal charges against a patient or to conduct any investigation of a patient. 

(d) Continuing prohibition against disclosure irrespective of status as patient 

The prohibitions of this section continue to apply to records concerning any individual who has 
been a patient, irrespective of whether or when he ceases to be a patient. 

(e) Armed Forces and Veterans' Administration; interchange of records; report of suspected 
child abuse and neglect to State or local authorities 

The prohibitions of this section do not apply to any interchange of records— 

(1) within the Armed Forces or within those components of the Veterans' Administration 
furnishing health care to veterans, or 

(2) between such components and the Armed Forces. 

The prohibitions of this section do not apply to the reporting under State law of incidents of 
suspected child abuse and neglect to the appropriate State or local authorities. 

(f) Penalty for first and subsequent offenses 

Any person who violates any provision of this section or any regulation issued pursuant to this 
section shall be fined not more than $500 in the case of a first offense, and not more than $5,000 
in the case of each subsequent offense. 

(g) Regulations; interagency consultations; definitions, safeguards, and procedures, including 
procedures and criteria for issuance and scope of orders 

Except as provided in subsection (h) of this section, the Secretary, after consultation with the 
Administrator of Veterans' Affairs and the heads of other Federal departments and agencies 
substantially affected thereby, shall prescribe regulations to carry out the purposes of this 
section. These regulations may contain such definitions, and may provide for such safeguards 
and procedures, including procedures and criteria for the issuance and scope of orders under 
subsection (b)(2)(C) of this section, as in the judgment of the Secretary are necessary or proper 



to effectuate the purposes of this section, to prevent circumvention or evasion thereof, or to 
facilitate compliance therewith. 


(Subsection (h) was superseded by section 111(c)(3) of Pub. L. 94-581. The responsibility of the 
Administrator of Veterans' Affairs to write regulations to provide for confidentiality of drug 
abuse patient records under Title 38 was moved from 21 U.S.C. 1175 to 38 U.S.C. 4134.) 

§ 2.2 Statutory authority for confidentiality of alcohol abuse patient records. 

The restrictions of these regulations upon the disclosure and use of alcohol abuse patient records 
were initially authorized by section 333 of the Comprehensive Alcohol Abuse and Alcoholism 
Prevention, Treatment, and Rehabilitation Act of 1970 (42 U.S.C. 4582). The section as 
amended was transferred by Pub. L. 98-24 to section 523 of the Public Health Service Act which 
is codified at 42 U.S.C. 290dd-3. The amended statutory authority is set forth below: 

§ 290DD-3.CONFIDENTIALITY OF PATIENT RECORDS. 

(a) Disclosure authorization 

Records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in 
connection with the performance of any program or activity relating to alcoholism or alcohol 
abuse education, training, treatment, rehabilitation, or research, which is conducted, regulated, or 
directly or indirectly assisted by any department or agency of the United States shall, except as 
provided in subsection (e) of this section, be confidential and be disclosed only for the purposes 
and under the circumstances expressly authorized under subsection (b) of this section. 

(b) Purposes and circumstances of disclosure affecting consenting patient and patient regardless 
of consent 

(1) The content of any record referred to in subsection (a) of this section may be disclosed in 
accordance with the prior written consent of the patient with respect to whom such record is 
maintained, but only to such extent, under such circumstances, and for such purposes as may be 
allowed under regulations prescribed pursuant to subsection (g) of this section. 

(2) Whether or not the patient, with respect to whom any given record referred to in subsection 
(a) of this section is maintained, gives his written consent, the content of such record may be 
disclosed as follows: 

(A) To medical personnel to the extent necessary to meet a bona fide medical emergency. 

(B) To qualified personnel for the purpose of conducting scientific research, management audits, 
financial audits, or program evaluation, but such personnel may not identify, directly or 
indirectly, any individual patient in any report of such research, audit, or evaluation, or otherwise 
disclose patient identities in any manner. 



(C) If authorized by an appropriate order of a court of competent jurisdiction granted after 
application showing good cause therefor. In assessing good cause the court shall weigh the 
public interest and the need for disclosure against the injury to the patient, to the physician- 
patient relationship, and to the treatment services. Upon the granting of such order, the court, in 
determining the extent to which any disclosure of all or any part of any record is necessary, shall 
impose appropriate safeguards against unauthorized disclosure. 

(c) Prohibition against use of record in making criminal charges or investigation ofpatient 

Except as authorized by a court order granted under subsection (b)(2)(C) of this section, no 
record referred to in subsection (a) of this section may be used to initiate or substantiate any 
criminal charges against a patient or to conduct any investigation of a patient. 

(d) Continuing prohibition against disclosure irrespective of status as patient 

The prohibitions of this section continue to apply to records concerning any individual who has 
been a patient, irrespective of whether or when he ceases to be a patient. 

(e) Armed Forces and Veterans' Administration; interchange of record of suspected child abuse 
and neglect to State or local authorities 

The prohibitions of this section do not apply to any interchange of records— 

(1) within the Armed Forces or within those components of the Veterans' Administration 
furnishing health care to veterans, or 

(2) between such components and the Armed Forces. 

The prohibitions of this section do not apply to the reporting under State law of incidents of 
suspected child abuse and neglect to the appropriate State or local authorities. 

(f) Penalty for first and subsequent offenses 

Any person who violates any provision of this section or any regulation issued pursuant to this 
section shall be fined not more than $500 in the case of a first offense, and not more than $5,000 
in the case of each subsequent offense. 

(g) Regulations of Secretary; definitions, safeguards, and procedures, including procedures and 
criteria for issuance and scope of orders 

Except as provided in subsection (h) of this section, the Secretary shall prescribe regulations to 
carry out the purposes of this section. These regulations may contain such definitions, and may 
provide for such safeguards and procedures, including procedures and criteria for the issuance 
and scope of orders under subsection(b)(2)(C) of this section, as in the judgment of the Secretary 
are necessary or proper to effectuate the purposes of this section, to prevent circumvention or 
evasion thereof, or to facilitate compliance therewith. 



(Subsection (h) was superseded by section 111(c)(4) of Pub. L. 94-581. The responsibility of the 
Administrator of Veterans' Affairs to write regulations to provide for confidentiality of alcohol 
abuse patient records under Title 38 was moved from 42 U.S.C. 4582 to 38 U.S.C. 4134.) 

§ 2.3Purpose and effect. 

(a) Purpose. Under the statutory provisions quoted in § § 2.1 and 2.2, these regulations impose 
restrictions upon the disclosure and use of alcohol and drug abuse patient records which are 
maintained in connection with the performance of any federally assisted alcohol and drug abuse 
program. The regulations specify: 

(1) Definitions, applicability, and general restrictions in Subpart B (definitions applicable to § 
2.34 only appear in that section); 

(2) Disclosures which may be made with written patient consent and the form of the written 
consent in Subpart C; 

(3) Disclosures which may be made without written patient consent or an authorizing court order 
in Subpart D; and 

(4) Disclosures and uses of patient records which may be made with an authorizing court order 
and the procedures and criteria for the entry and scope of those orders in Subpart E. 

(b) Effect. (1) These regulations prohibit the disclosure and use of patient records unless certain 
circumstances exist. If any circumstances exists under which disclosure is pennitted, that 
circumstance acts to remove the prohibition on disclosure but it does not compel disclosure. 
Thus, the regulations do not require disclosure under any circumstances. 

(2) These regulations are not intended to direct the manner in which substantive functions such 
as research, treatment, and evaluation are carried out. They are intended to insure that an alcohol 
or drug abuse patient in a federally assisted alcohol or drug abuse program is not made more 
vulnerable by reason of the availability of his or her patient record than an individual who has an 
alcohol or drug problem and who does not seek treatment. 

(3) Because there is a criminal penalty (a fine—see 42 U.S.C. 290ee-3(f), 42 U.S.C. 290dd-3(f) 
and 42 C.F.R. § 2.4) for violating the regulations, they are to be construed strictly in favor of the 
potential violator in the same manner as a criminal statute (see M. Kraus & Brothers v. United 
States, 327 U.S. 614, 621-22, 66 S. Ct. 705, 707-08 (1946)). 

§ 2.4 Criminal penalty for violation. 

Under 42 U.S.C. 290ee-3(f) and 42 U.S.C. 290dd-3(f), any person who violates any provision of 
those statutes or these regulations shall be fined not more than $500 in the case of a first offense, 
and not more than $5,000 in the case of each subsequent offense. 


§ 2.5 Reports of violations. 



(a) The report of any violation of these regulations may be directed to the United States Attorney 
for the judicial district in which the violation occurs. 


(b) The report of any violation of these regulations by a methadone program may be directed to 
the Regional Offices of the Food and Drug Administration. 

Subpart B—General Provisions 

[42 C.F.R. Subpart B, § 2.11B2.67, as of May 9, 1996] 

§2.11 Definitions. 

For purposes of these regulations: Alcohol abuse means the use of an alcoholic beverage which 
impairs the physical, mental, emotional, or social well-being of the user. 

Drug abuse means the use of a psychoactive substance for other than medicinal purposes which 
impairs the physical, mental, emotional, or social well-being of the user. 

Diagnosis means any reference to an individual's alcohol or drug abuse or to a condition which is 
identified as having been caused by that abuse which is made for the purpose of treatment or 
referral for treatment. 

Disclose or disclosure means a communication of patient-identifying information, the 
affirmative verification of another person's communication of patient-identifying information, or 
the communication of any information from the record of a patient who has been identified. 

Informant means an individual: 

(a) Who is a patient or employee of a program or who becomes a patient or employee of a 
program at the request of a law enforcement agency or official: and 

(b) Who at the request of a law enforcement agency or official observes one or more patients or 
employees of the program for the purpose of reporting the information obtained to the law 
enforcement agency or official. 

Patient means any individual who has applied for or been given diagnosis or treatment for 
alcohol or drug abuse at a federally assisted program and includes any individual who, after 
arrest on a criminal charge, is identified as an alcohol or drug abuser in order to determine that 
individual's eligibility to participate in a program. 

Patient-identifying information means the name, address, social security number, fingerprints, 
photograph, or similar information by which the identity of a patient can be determined with 
reasonable accuracy and speed either directly or by reference to other publicly available 
information. The term does not include a number assigned to a patient by a program, if that 
number does not consist of, or contain numbers (such as a social security, or driver's license 
number) which could be used to identify a patient with reasonable accuracy and speed from 
sources external to the program. 



Person means an individual, partnership, corporation, Federal, State or local government agency, 
or any other legal entity. 

Program means: 

(a) An individual or entity (other than a general medical care facility) who holds itself out as 
providing, and provides, alcohol or drug abuse diagnosis, treatment or referral for treatment; or 

(b) An identified unit within a general medical facility which holds itself out as providing, and 
provides, alcohol or drug abuse diagnosis, treatment or referral for treatment; or 

(c) Medical personnel or other staff in a general medical care facility whose primary function is 
the provision of alcohol or drug abuse diagnosis, treatment or referral for treatment and who are 
identified as such providers. (See § 2.12(e)(1) for examples.) 

Program director means: 

(a) In the case of a program which is an individual, that individual: 

(b) In the case of a program which is an organization, the individual designated as director, 
managing director, or otherwise vested with authority to act as chief executive of the 
organization. 

Qualified sendee organization means a person which: 

(a) Provides services to a program, such as data processing, bill collecting, dosage preparation, 
laboratory analyses, or legal, medical, accounting, or other professional services, or services to 
prevent or treat child abuse or neglect, including training on nutrition and child care and 
individual and group therapy, and 

(b) Has entered into a written agreement with a program under which that person: 

(1) Acknowledges that in receiving, storing, processing or otherwise dealing with any patient 
records from the programs, it is fully bound by these regulations; and 

(2) If necessary, will resist injudicial proceedings any efforts to obtain access to patient records 
except as pennitted by these regulations. 

Records means any infonnation, whether recorded or not, relating to a patient received or 
acquired by a federally assisted alcohol or drug program. 

Third party payer means a person who pays, or agrees to pay, for diagnosis or treatment 
furnished to a patient on the basis of a contractual relationship with the patient or a member of 
his family or on the basis of the patient's eligibility for Federal, State, or local governmental 
benefits. 

Treatment means the management and care of a patient suffering from alcohol or drug abuse, a 
condition which is identified as having been caused by that abuse, or both, in order to reduce or 
eliminate the adverse effects upon the patient. 

Undercover agent means an officer of any Federal, State, or local law enforcement agency who 
enrolls in or becomes an employee of a program for the purpose of investigating a suspected 



violation of law or who pursues that purpose after enrolling or becoming employed for other 
purposes. 


[52 FR 21809, June 9, 1987, as amended at 60 FR 22297, May 5, 1995] 

DAILY C.F.R. (TM) Note 60 FR 22296, No. 87, May 5, 1995 

SUMMARY: The Department published a notice of proposed rulemaking in the Federal Register 
at 59 FR 42561 (August 18, 1994) with corresponding corrections at 59 FR 45063 (August 31, 
1994), which proposed a clarification to the "Confidentiality of Alcohol and Drug Abuse Patient 
Records" regulations codified at 42 C.F.R. part 2. Specifically, the Department proposed to 
clarify that, as to general medical care facilities, these regulations cover only specialized 
individuals or units in such facilities that hold themselves out as providing and provide alcohol 
or drug abuse diagnosis, treatment or referral for treatment and which are federally assisted, 
directly or indirectly. The Secretary has considered the comments received during the comment 
period, and is amending the regulations. 

EFFECTIVE DATE: June 5, 1995. 




§ 2,12 Applicability. 

(a) General —(1) Restrictions on disclosure. The restrictions on disclosure in these regulations 
apply to any information, whether or not recorded, which: 

(1) Would identify a patient as an alcohol or drug abuser either directly, by reference to other 
publicly available information, or through verification of such an identification by another 
person; and 

(ii) Is drug abuse infonnation obtained by a federally assisted drug abuse program after March 
20, 1972, or is alcohol abuse information obtained by a federally assisted alcohol abuse program 
after May 13, 1974 (or if obtained before the pertinent date, is maintained by a federally assisted 
alcohol or drug abuse program after that date as part of an ongoing treatment episode which 
extends past that date) for the purpose of treating alcohol or drug abuse, making a diagnosis for 
that treatment, or making a referral for that treatment. 

(2) Restriction on use. The restriction on use of information to initiate or substantiate any 
criminal charges against a patient or to conduct any criminal investigation of a patient (42 U.S.C. 
290ee-3(c), 42 U.S.C. 290dd-3(c)) applies to any information, whether or not recorded which is 
drug abuse information obtained by a federally assisted drug abuse program after March 20, 
1972, or is alcohol abuse information obtained by a federally assisted alcohol abuse program 
after May 13, 1974 (or if obtained before the pertinent date, is maintained by a federally assisted 
alcohol or drug abuse program after that date as part of an ongoing treatment episode which 



extends past that date), for the purpose of treating alcohol or drug abuse, making a diagnosis for 
the treatment, or making a referral for the treatment. 

(b) Federal assistance. An alcohol abuse or drug abuse program is considered to be federally 
assisted if: 

(1) It is conducted in whole or in part, whether directly or by contract or otherwise by any 
department or agency of the United States (but see paragraphs (c)(1) and (c)(2) of this section 
relating to the Veterans’ Administration and the Armed Forces); 

(2) It is being carried out under a license, certification, registration, or other authorization 
granted by any department or agency of the United States including but not limited to: 

(i) Certification of provider status under the Medicare program; 

(ii) Authorization to conduct methadone maintenance treatment (see 21 C.F.R. 291.505); or 

(iii) Registration to dispense a substance under the Controlled Substances Act to the extent the 
controlled substance is used in the treatment of alcohol or drug abuse; 

(3) It is supported by funds provided by any department or agency of the United States by being: 

(1) A recipient of Federal financial assistance in any fonn, including financial assistance which 
does not directly pay for the alcohol or drug abuse diagnosis, treatment, or referral activities; or 

(ii) Conducted by a State or local government unit which, through general or special revenue 
sharing or other forms of assistance, receives Federal funds which could be (but are not 
necessarily) spent for the alcohol or drug abuse program; or 

(4) It is assisted by the Internal Revenue Service of the Department of the Treasury through the 
allowance of income tax deductions for contributions to the program or through the granting of 
tax exempt status to the program. 

(c) Exceptions —(1) Veterans’ Administration. These regulations do not apply to infonnation on 
alcohol and drug abuse patients maintained in connection with the Veterans' Administration 
provisions of hospital care, nursing home care, domiciliary care, and medical services under Title 
38, United States Code. Those records are governed by 38 U.S.C. 4132 and regulations issued 
under that authority by the Administrator of Veterans' Affairs. 

(2) Armed Forces. These regulations apply to any infonnation described in paragraph (a) of this 
section which was obtained by any component of the Anned Forces during a period when the 
patient was subject to the Uniform Code of Military Justice except: 


(i) Any interchange of that information within the Anned Forces; and 



(ii) Any interchange of that information between the Anned Forces and those components of the 
Veterans Administration furnishing health care to veterans. 


(3) Communication within a program or between a program and an entity having direct 
administrative control over that program. The restrictions on disclosure in these regulations do 
not apply to communications of infonnation between or among personnel having a need for the 
information in connection with their duties that arise out of the provision of diagnosis, treatment, 
or referral for treatment of alcohol or drug abuse if the communications are 

(i) Within a program or 

(ii) Between a program and an entity that has direct administrative control over the program. 

(4) Qualified Service Organizations. The restrictions on disclosure in these regulations do not 
apply to communications between a program and a qualified service organization of information 
needed by the organization to provide services to the program. 

(5) Crimes on program premises or against program personnel. The restrictions on disclosure 
and use in these regulations do not apply to communications from program personnel to law 
enforcement officers which— 

(i) Are directly related to a patient's commission of a crime on the premises of the program or 
against program personnel or to a threat to commit such a crime; and 

(ii) Are limited to the circumstances of the incident, including the patient status of the individual 
committing or threatening to commit the crime, that individual's name and address, and that 
individual's last known whereabouts. 

(6) Reports of suspected child abuse and neglect. The restrictions on disclosure and use in these 
regulations do not apply to the reporting under State law of incidents of suspected child abuse 
and neglect to the appropriate State or local authorities. However, the restrictions continue to 
apply to the original alcohol or drug abuse patient records maintained by the program including 
their disclosure and use for civil or criminal proceedings which may arise out of the report of 
suspected child abuse and neglect. 

(d) Applicability to recipients of information —(1) Restriction on use of information. The 
restriction on the use of any infonnation subject to these regulations to initiate or substantiate 
any criminal charges against a patient or to conduct any criminal investigation of a patient 
applies to any person who obtains that information from a federally assisted alcohol or drug 
abuse program, regardless of the status of the person obtaining the infonnation or of whether the 
information was obtained in accordance with these regulations. This restriction on use bars, 
among other things, the introduction of that information as evidence in a criminal proceeding and 
any other use of the information to investigate or prosecute a patient with respect to a suspected 
crime. Information obtained by undercover agents or informants (see §2.17) or through patient 
access (see § 2.23) is subject to the restriction on use. 



(2) Restrictions on disclosures—Third party payers, administrative en tities, and others. The 
restrictions on disclosure in these regulations apply to: 


(1) Third party payers with regard to records disclosed to them by federally assisted alcohol or 
drug abuse programs; 

(ii) Entities having direct administrative control over programs with regard to information 
communicated to them by the program under § 2.12(c)(3); and 

(iii) Persons who receive patient records directly from a federally assisted alcohol or drug abuse 
program and who are notified of the restrictions on redisclosure of the records in accordance 
with § 2.32 of these regulations. 

(e) Explanation of applicability —(1) Coverage. These regulations cover any information 
(including information on referral and intake) about alcohol and drug abuse patients obtained by 
a program (as the terms "patient" and "program" are defined in § 2.11) if the program is federally 
assisted in any manner described in § 2.12(b). Coverage includes, but is not limited to, those 
treatment or rehabilitation programs, employee assistance programs, programs within general 
hospitals, school-based programs, and private practitioners who hold themselves out as 
providing, and provide alcohol or drug abuse diagnosis, treatment, or referral for treatment. 
However, these regulations would not apply, for example, to emergency room personnel who 
refer a patient to the intensive care unit for an apparent overdose, unless the primary function of 
such personnel is the provision of alcohol or drug abuse diagnosis, treatment or referral and they 
are identified as providing such services or the emergency room has promoted itself to the 
community as a provider of such services. 

(2) Federal assistance to program required. If a patient's alcohol or drug abuse diagnosis, 
treatment, or referral for treatment is not provided by a program which is federally conducted, 
regulated or supported in a manner which constitutes Federal assistance under § 2.12(b), that 
patient's record is not covered by these regulations. Thus, it is possible for an individual patient 
to benefit from Federal support and not be covered by the confidentiality regulations because the 
program in which the patient is enrolled is not federally assisted as defined in § 2.12(b). For 
example, if a Federal court placed an individual in a private for-profit program and made a 
payment to the program on behalf of that individual, that patient's record would not be covered 
by these regulations unless the program itself received Federal assistance as defined by § 2.12(b). 

(3) Information to which restrictions are applicable. Whether a restriction is on use or disclosure 
affects the type of infonnation which may be available. The restrictions on disclosure apply to 
any infonnation which would identify a patient as an alcohol or drug abuser. The restriction on 
use of infonnation to bring criminal charges against a patient for a crime applies to any 
information obtained by the program for the purpose of diagnosis, treatment, or referral for 
treatment of alcohol or drug abuse. (Note that restrictions on use and disclosure apply to 
recipients of information under § 2.12(d).) 

(4) How type of diagnosis affects coverage. These regulations cover any record of a diagnosis 
identifying a patient as an alcohol or drug abuser which is prepared in connection with the 



treatment or referral for treatment of alcohol or drug abuse. A diagnosis prepared for the purpose 
of treatment or referral for treatment but which is not so used is covered by these regulations. 

The following are not covered by these regulations: 

(i) Diagnosis which is made solely for the purpose of providing evidence for use by law 
enforcement authorities; or 

(ii) A diagnosis of drug overdose or alcohol intoxication which clearly shows that the individual 
involved is not an alcohol or drug abuser (e.g., involuntary ingestion of alcohol or drugs or 
reaction to a prescribed dosage of one or more drugs). 

[52 FR 21809, June 9, 1987; 52 FR 42061, Nov. 2, 1987, as amended at 60 FR 22297, May 5, 
1995] 




DAILY C.F.R. (TM) Note 
60 FR 22296, No. 87, May 5, 1995 

SUMMARY: The Department published a notice of proposed rulemaking in the Federal Register 
at 59 FR 42561 (August 18, 1994) with corresponding corrections at 59 FR 45063 (August 31, 
1994), which proposed a clarification to the "Confidentiality of Alcohol and Drug Abuse Patient 
Records" regulations codified at 42 C.F.R. part 2. Specifically, the Department proposed to 
clarify that, as to general medical care facilities, these regulations cover only specialized 
individuals or units in such facilities that hold themselves out as providing and provide alcohol 
or drug abuse diagnosis, treatment or referral for treatment and which are federally assisted, 
directly or indirectly. The Secretary has considered the comments received during the comment 
period, and is amending the regulations. 

EFFECTIVE DATE: June 5, 1995. 




§ 2.13 Confidentiality restrictions. 

(a) General. The patient records to which these regulations apply may be disclosed or used only 
as permitted by these regulations and may not otherwise be disclosed or used in any civil, 
criminal, administrative, or legislative proceedings conducted by any Federal, State, or local 
authority. Any disclosure made under these regulations must be limited to that infonnation which 
is necessary to carry out the purpose of the disclosure. 

(b) Unconditional compliance required. The restrictions on disclosure and use in these 
regulations apply whether the holder of the infonnation believes that the person seeking the 
information already has it, has other means of obtaining it, is a law enforcement or other official, 



has obtained a subpoena, or asserts any other justification for a disclosure or use which is not 
pennitted by these regulations. 


(c) Acknowledging the presence of patients: Responding to requests. (1) The presence of an 
identified patient in a facility or component of a facility which is publicly identified as a place 
where only alcohol or drug abuse diagnosis, treatment, or referral is provided may be 
acknowledged only if the patient's written consent is obtained in accordance with Subpart C of 
these regulations or if an authorizing court order is entered in accordance with Subpart E of these 
regulations. The regulations permit acknowledgement of the presence of an identified patient in a 
facility or part of a facility if the facility is not publicly identified as only an alcohol or drug 
abuse diagnosis, treatment or referral facility, and if the acknowledgement does not reveal that 
the patient is an alcohol or drug abuser. 

(2) Any answer to a request for a disclosure of patient records which is not pennissible under 
these regulations must be made in a way that will not affirmatively reveal that an identified 
individual has been, or is being diagnosed or treated for alcohol or drug abuse. An inquiring 
party may be given a copy of these regulations and advised that they restrict the disclosure of 
alcohol or drug abuse patient records, but may not be told affirmatively that the regulations 
restrict the disclosure of the records of an identified patient. The regulations do not restrict a 
disclosure that an identified individual is not and never has been a patient. 

§ 2.14 Minor patients. 

(a) Definition of minor. As used in these regulations the term "minor" means a person who has 
not attained the age of majority specified in the applicable State law, or if no age of majority is 
specified in the applicable State law, the age of 18 years. 

(b) State law not requiring parental consent to treatment. If a minor patient acting alone has the 
legal capacity under the applicable State law to apply for and obtain alcohol or drug abuse 
treatment, any written consent for disclosure authorized under Subpart C of these regulations 
may be given only by the minor patient. This restriction includes, but is not limited to, any 
disclosure of patient-identifying information to the parent or guardian of a minor patient for the 
purpose of obtaining financial reimbursement. These regulations do not prohibit a program from 
refusing to provide treatment until the minor patient consents to the disclosure necessary to 
obtain reimbursement, but refusal to provide treatment may be prohibited under a State or local 
law requiring the program to furnish the service irrespective of ability to pay. 

(c) State law requiring parental consent to treatment. (1) Where State law requires consent of a 
parent, guardian, or other person for a minor to obtain alcohol or drug abuse treatment, any 
written consent for disclosure authorized under Subpart C of these regulations must be given by 
both the minor and his or her parent, guardian, or other person authorized under State law to act 
in the minor's behalf. 

(2) Where State law requires parental consent to treatment the fact of a minor's application for 
treatment may be communicated to the minor's parent, guardian, or other person authorized 
under State law to act in the minor’s behalf only if: 



(1) The minor has given written consent to the disclosure in accordance with Subpart C of these 
regulations or 

(ii) The minor lacks the capacity to make a rational choice regarding such consent as judged by 
the program director under paragraph (d) of this section. 

(d) Minor applicant for services lacks capacity for rational choice. Facts relevant to reducing a 
threat to the life or physical well being of the applicant or any other individual may be disclosed 
to the parent, guardian, or other person authorized under State law to act in the minor's behalf if 
the program director judges that: (1) A minor applicant for services lacks capacity because of 
extreme youth or mental or physical condition to make a rational decision on whether to consent 
to a disclosure under Subpart C of these regulations to his or her parent, guardian, or other 
person authorized under State law to act in the minor's behalf, and 

(2) The applicant's situation poses a substantial threat to the life or physical well being of the 
applicant or any other individual which may be reduced by communicating relevant facts to the 
minor's parent, guardian, or other person authorized under State law to act in the minor's behalf 

§ 2.15 Incompetent and deceased patients. 

(a) Incompetent patients other than minors —(1) Adjudication of incompetence. In the case of a 
patient who has been adjudicated as lacking the capacity, for any reason other than insufficient 
age, to manage his or her own affairs, any consent which is required under these regulations may 
be given by the guardian or other person authorized under State law to act in the patient's behalf. 

(2) No adjudication of incompetency. For any period for which the program director detennines 
that a patient, other than a minor or one who has been adjudicated incompetent, suffers from a 
medical condition that prevents knowing or effective action on his or her own behalf, the 
program director may exercise the right of the patient to consent to a disclosure under Subpart C 
of these regulations for the sole purpose of obtaining payment for services from a third party 
payer. 

(b) Deceased patients —(1) Vital statistics. These regulations do not restrict the disclosure of 
patient-identifying information relating to the cause of death of a patient under laws requiring the 
collection of death or other vital statistics or permitting inquiry into the cause of death. 

(2) Consent by personal representative. Any other disclosure of information identifying a 
deceased patient as an alcohol or drug abuser is subject to these regulations. If a written consent 
to the disclosure is required, that consent may be given by an executor, administrator, or other 
personal representative appointed under applicable State law. If there is no such appointment the 
consent may be given by the patient's spouse or, if none, by any responsible member of the 
patient's family. 


§ 2.16 Security for written records. 



(a) Written records which are subject to these regulations must be maintained in a secure room, 
locked file cabinet, safe or other similar container when not in use; and 

(b) Each program shall adopt in writing procedures which regulate and control access to and use 
of written records which are subject to these regulations. 

§ 2.17 Undercover agents and informants. 

(a) Restrictions on placement. Except as specifically authorized by a court order granted under § 
2.67 of these regulations, no program may knowingly employ, or enroll as a patient, any 
undercover agent or infonnant. 

(b) Restriction on use of information. No information obtained by an undercover agent or 
informant, whether or not that undercover agent or informant is placed in a program pursuant to 
an authorizing court order, may be used to criminally investigate or prosecute any patient. 

[52 FR 21809, June 9, 1987; 52 FR 42061, Nov. 2, 1987] 

§ 2.18 Restrictions on the use of identification cards. 

No person may require any patient to carry on his or her person while away from the program 
premises any card or other object which would identify the patient as an alcohol or drug abuser. 
This section does not prohibit a person from requiring patients to use or carry cards or other 
identification objects on the premises of a program. 

§ 2.19 Disposition of records by discontinued programs. 

(a) General. If a program discontinues operations or is taken over or acquired by another 
program, it must purge patient-identifying infonnation from its records or destroy the records 
unless— 

(1) The patient who is the subject of the records gives written consent (meeting the requirements 
of § 2.31) to a transfer of the records to the acquiring program or to any other program 
designated in the consent (the manner of obtaining this consent must minimize the likelihood of 
a disclosure of patient-identifying infonnation to a third party); or 

(2) There is a legal requirement that the records be kept for a period specified by law which does 
not expire until after the discontinuation or acquisition of the program. 

(b) Procedure where retention period required by law. If paragraph (a)(2) of this section applies, 
the records must be: 

(1) Sealed in envelopes or other containers labeled as follows: "Records of [insert name of 
program] required to be maintained under [insert citation to statute, regulation, court order or 
other legal authority requiring that records be kept] until a date not later than [insert appropriate 
date]"; and 



(2) Held under the restrictions of these regulations by a responsible person who must, as soon as 
practicable after the end of the retention period specified on the label, destroy the records. 

§ 2.20 Relationship to State laws. 

The statutes authorizing these regulations (42 U.S.C. 290ee-3 and 42 U.S.C. 290dd-3) do not 
preempt the field of law which they cover to the exclusion of all State laws in that field. If a 
disclosure permitted under these regulations is prohibited under State law, neither these 
regulations nor the authorizing statutes may be construed to authorize any violation of that State 
law. However, no State law may either authorize or compel any disclosure prohibited by these 
regulations. 

§ 2.21 Relationship to Federal statutes protecting research subjects against compulsory 
disclosure of their identity. 

(a) Research privilege description. There may be concurrent coverage of patient-identifying 
information by these regulations and by administrative action taken under: Section 303(a) of the 
Public Health Service Act (42 U.S.C. 242a(a) and the implementing regulations at 42 C.F.R. Part 
2a); or section 502(c) of the Controlled Substances Act (21 U.S.C. 872(c) and the implementing 
regulations at 21 C.F.R. 1316.21). These "research privilege" statutes confer on the Secretary of 
Health and Human Services and on the Attorney General, respectively, the power to authorize 
researchers conducting certain types of research to withhold from all persons not connected with 
the research the names and other identifying infonnation concerning individuals who are the 
subjects of the research. 

(b) Effect of concurrent coverage. These regulations restrict the disclosure and use of 
information about patients, while administrative action taken under the research privilege statutes 
and implementing regulations protects a person engaged in applicable research from being 
compelled to disclose any identifying characteristics of the individuals who are the subjects of 
that research. The issuance under Subpart E of these regulations of a court order authorizing a 
disclosure of information about a patient does not affect an exercise of authority under these 
research privilege statutes. However, the research privilege granted under 21 C.F.R. 291.505(g) 
to treatment programs using methadone for maintenance treatment does not protect from 
compulsory disclosure any infonnation which is permitted to be disclosed under those 
regulations. Thus, if a court order entered in accordance with Subpart E of these regulations 
authorizes a methadone maintenance treatment program to disclose certain infonnation about its 
patients, that program may not invoke the research privilege under 21 C.F.R. 291.505(g) as a 
defense to a subpoena for that information. 

§ 2.22 Notice to patients of Federal confidentiality requirements. 

(a) Notice required. At the time of admission or as soon thereafter as the patient is capable of 
rational communication, each program shall: 


(1) Communicate to the patient that Federal law and regulations protect the confidentiality of 
alcohol and drug abuse patient records; and 



(2) Give to the patient a summary in writing of the Federal law and regulations. 


(b) Required elements of written summary. The written summary of the Federal law and 
regulations must include: 

(1) A general description of the limited circumstances under which a program may acknowledge 
that an individual is present at a facility or disclose outside the program information identifying a 
patient as an alcohol or drug abuser. 

(2) A statement that violation of the Federal law and regulations by a program is a crime and that 
suspected violations may be reported to appropriate authorities in accordance with these 
regulations. 

(3) A statement that information related to a patient's commission of a crime on the premises of 
the program or against personnel of the program is not protected. 

(4) A statement that reports of suspected child abuse and neglect made under State law to 
appropriate State or local authorities are not protected. 

(5) A citation to the Federal law and regulations. 

(c) Program options. The program may devise its own notice or may use the sample notice in 
paragraph (d) to comply with the requirement to provide the patient with a summary in writing of 
the Federal law and regulations. In addition, the program may include in the written summary 
information concerning State law and any program policy not inconsistent with State and Federal 
law on the subject of confidentiality of alcohol and drug abuse patient records. 

(d) Sample notice. 

CONFIDENTIALITY OF ALCOHOL AND DRUG ABUSE PATIENT RECORDS 

The confidentiality of alcohol and drug abuse patient records maintained by this program is 
protected by Federal law and regulations. Generally, the program may not say to a person outside 
the program that a patient attends the program, or disclose any infonnation identifying a patient 
as an alcohol or drug abuser Unless: 

(1) The patient consents in writing: 

(2) The disclosure is allowed by a court order; or 

(3) The disclosure is made to medical personnel in a medical emergency or to qualified 
personnel for research, audit, or program evaluation. 

Violation of the Federal law and regulations by a program is a crime. Suspected violations may 
be reported to appropriate authorities in accordance with Federal regulations. 

Federal law and regulations do not protect any information about a crime committed by a patient 
either at the program or against any person who works for the program or about any threat to 



commit such a crime. Federal laws and regulations do not protect any information about 
suspected child abuse or neglect from being reported under State law to appropriate State or local 
authorities. 

(See 42 U.S.C. 290dd-3 and 42 U.S.C. 290ee-3 for Federal laws and 42 C.F.R. Part 2 for Federal 
regulations.) 

(Approved by the Office of Management and Budget under Control No. 0930-0099) 

§ 2.23 Patient access and restrictions on use. 

(a) Patient access not prohibited. These regulations do not prohibit a program from giving a 
patient access to his or her own records, including the opportunity to inspect and copy any 
records that the program maintains about the patient. The program is not required to obtain a 
patient's written consent or other authorization under these regulations in order to provide such 
access to the patient. 

(b) Restriction on use of information. Infonnation obtained by patient access to his or her patient 
record is subject to the restriction on use of his information to initiate or substantiate any 
criminal charges against the patient or to conduct any criminal investigation of the patient as 
provided for under § 2.12(d)(1). 

Subpart C—Disclosures With Patient’s Consent 

§ 2.31 Form of written consent. 

(а) Required elements. A written consent to a disclosure under these regulations must include: 

(1) The specific name or general designation of the program or person permitted to make the 
disclosure. 

(2) The name or title of the individual or the name of the organization to which disclosure is to 
be made. 

(3) The name of the patient. 

(4) The purpose of the disclosure. 

(5) How much and what kind of information is to be disclosed. 

(б) The signature of the patient and, when required for a patient who is a minor, the signature of 
a person authorized to give consent under § 2.14; or, when required for a patient who is 
incompetent or deceased, the signature of a person authorized to sign under § 2.15 in lieu of the 
patient. 


(7) The date on which the consent is signed. 



(8) A statement that the consent is subject to revocation at any time except to the extent that the 
program or person which is to make the disclosure has already acted in reliance on it. Acting in 
reliance includes the provision of treatment services in reliance on a valid consent to disclose 
information to a third party payer. 

(9) The date, event, or condition upon which the consent will expire if not revoked before. This 
date, event, or condition must insure that the consent will last no longer than reasonably 
necessary to serve the purpose for which it is given. 

(b) Sample consent form. The following form complies with paragraph (a) of this section, but 
other elements may be added. 

1. I (name of patient) o Request o Authorize: 

2. (name or general designation of program which is to make the disclosure) 

3. To disclose: (kind and amount of information to be disclosed) 

4. To: (name or title of the person or organization to which disclosure is to be made) 

5. For (purpose of the disclosure) 

6. Date (on which this consent is signed) 

7. Signature of patient 

8. Signature of parent or guardian (where required) 

9. Signature of person authorized to sign in lieu of the patient (where required) 

10. This consent is subject to revocation at any time except to the extent that the program 
which is to make the disclosure has already taken action in reliance on it. If not 
previously revoked, this consent will terminate upon: (specific date, event, or condition) 

(c) Expired, deficient, or false consent. A disclosure may not be made on the basis of a consent 
which: 

(1) Has expired: 

(2) On its face substantially fails to conform to any of the requirements set forth in paragraph (a) 
of this section; 

(3) Is known to have been revoked; or 

(4) Is known, or through a reasonable effort could be known, by the person holding the records 
to be materially false. 

(Approved by the Office of Management and Budget under control number 0930-0099) 

§ 2.32 Prohibition on redisclosure. 

Notice to accompany disclosure. Each disclosure made with the patient’s written consent must be 
accompanied by the following written statement: 

This information has been disclosed to you from records protected by Federal confidentiality 
rules (42 C.F.R. Part 2). The Federal rules prohibit you from making any further disclosure of 
this information unless further disclosure is expressly permitted by the written consent of the 
person to whom it pertains or as otherwise permitted by 42 C.F.R. Part 2. A general authorization 
for the release of medical or other infonnation is NOT sufficient for this purpose. The Federal 



rules restrict any use of the information to criminally investigate or prosecute any alcohol or drug 
abuse patient. 


[52 FR 21809, June 9, 1987; 52 FR 41997, Nov. 2, 1987] 

§ 2.33 Disclosures permitted with written consent. 

If a patient consents to a disclosure of his or her records under § 2.31, a program may disclose 
those records in accordance with that consent to any individual or organization named in the 
consent, except that disclosures to central registries and in connection with criminal justice 
referrals must meet the requirements of § § 2.34 and 2.35, respectively. 

§ 2.34 Disclosures to prevent multiple enrollments in detoxification and maintenance 
treatment programs. 

(a) Definitions. For purposes of this section: 

Central registry means an organization which obtains from two or more member programs 
patient-identifying information about individuals applying for maintenance treatment or 
detoxification treatment for the purpose of avoiding an individual's concurrent enrollment in 
more than one program. 

Detoxification treatment means the dispensing of a narcotic drug in decreasing doses to an 
individual in order to reduce or eliminate adverse physiological or psychological effects incident 
to withdrawal from the sustained use of a narcotic drug. 

Maintenance treatment means the dispensing of a narcotic drug in the treatment of an individual 
for dependence upon heroin or other morphine-like drugs. 

Member program means a detoxification treatment or maintenance treatment program which 
reports patient-identifying information to a central registry and which is in the same State as that 
central registry or is not more than 125 miles from any border of the State in which the central 
registry is located. 

(b) Restrictions on disclosure. A program may disclose patient records to a central registry or to 
any detoxification or maintenance treatment program not more than 200 miles away for the 
purpose of preventing the multiple enrollment of a patient only if: 

(1) The disclosure is made when: 

(1) The patient is accepted for treatment; 

(ii) The type or dosage of the drug is changed; or 

(iii) The treatment is interrupted, resumed or terminated. 

(2) The disclosure is limited to: 

(i) Patient-identifying information: 



(ii) Type and dosage of the drug; and 

(iii) Relevant dates. 

(3) The disclosure is made with the patient's written consent meeting the requirements of § 2.31, 
except that: 

(i) The consent must list the name and address of each central registry and each known 
detoxification or maintenance treatment program to which a disclosure will be made; and 

(ii) The consent may authorize a disclosure to any detoxification or maintenance treatment 
program established within 200 miles of the program after the consent is given without naming 
any such program. 

(c) Use of information limited to prevention of multiple enrollments. A central registry and any 
detoxification or maintenance treatment program to which information is disclosed to prevent 
multiple enrollments may not redisclose or use patient-identifying information for any purpose 
other than the prevention of multiple enrollments unless authorized by a court order under 
Subpart E of these regulations. 

(d) Permitted disclosure by a central registry to prevent a multiple enrollment. When a member 
program asks a central registry if an identified patient is enrolled in another member program 
and the registry detennines that the patient is so enrolled, the registry may disclose— 

(1) The name, address, and telephone number of the member program(s) in which the patient is 
already enrolled to the inquiring member program; and 

(2) The name, address, and telephone number of the inquiring member program to the member 
program(s) in which the patient is already enrolled. The member programs may communicate as 
necessary to verify that no error has been made and to prevent or eliminate any multiple 
enrollment. 

(e) Permitted disclosure by a detoxification or maintenance treatment program to prevent a 
multiple enrollment. A detoxification or maintenance treatment program which has received a 
disclosure under this section and has determined that the patient is already enrolled may 
communicate as necessary with the program making the disclosure to verify that no error has 
been made and to prevent or eliminate any multiple enrollment. 

§ 2.35 Disclosures to elements of the criminal justice system which have referred patients. 

(a) A program may disclose information about a patient to those persons within the criminal 
justice system which have made participation in the program a condition of the disposition of 
any criminal proceedings against the patient or of the patient's parole or other release from 
custody if: 

(1) The disclosure is made only to those individuals within the criminal justice system who have 
a need for the information in connection with their duty to monitor the patient's progress (e.g., a 
prosecuting attorney who is withholding charges against the patient, a court granting pretrial or 
posttrial release, probation or parole officers responsible for supervision of the patient); and 



(2) The patient has signed a written consent meeting the requirements of § 2.31 (except 
paragraph (a)(8) which is inconsistent with the revocation provisions of paragraph (c) of this 
section) and the requirements of paragraphs (b) and (c) of this section. 

(b) Duration of consent. The written consent must state the period during which it remains in 
effect. This period must be reasonable, taking into account: 

(1) The anticipated length of the treatment; 

(2) The type of criminal proceeding involved, the need for the infonnation in connection with the 
final disposition of that proceeding, and when the final disposition will occur; and 

(3) Such other factors as the program, the patient, and the person(s) who will receive the 
disclosure consider pertinent. 

(c) Revocation of consent. The written consent must state that it is revocable upon the passage of 
a specified amount of time or the occurrence of a specified, ascertainable event. The time or 
occurrence upon which consent becomes revocable may be no later than the final disposition of 
the conditional release or other action in connection with which consent was given. 

(d) Restrictions on redisclosure and use. A person who receives patient information under this 
section may redisclose and use it only to carry out that person’s official duties with regard to the 
patient's conditional release or other action in connection with which the consent was given. 

Subpart D—Disclosures Without Patient Consent 

§ 2.51 Medical emergencies. 

(a) General Rule. Under the procedures required by paragraph (c) of this section, patient- 
identifying information may be disclosed to medical personnel who have a need for infonnation 
about a patient for the purpose of treating a condition which poses an immediate threat to the 
health of any individual and which requires immediate medical intervention. 

(b) Special Rule. Patient-identifying information may be disclosed to medical personnel of the 
Food and Drug Administration (FDA) who assert a reason to believe that the health of any 
individual may be threatened by an error in the manufacture, labeling, or sale of a product under 
FDA jurisdiction, and that the information will be used for the exclusive purpose of notifying 
patients or their physicians of potential dangers. 

(c) Procedures. Immediately following disclosure, the program shall document the disclosure in 
the patient's records, setting forth in writing: 

(1) The name of the medical personnel to whom disclosure was made and their affiliation with 
any health care facility; 

(2) The name of the individual making the disclosure; 


(3) The date and time of the disclosure; and 



(4) The nature of the emergency (or error, if the report was to FDA). 


(Approved by the Office of Management and Budget under control number 0930-0099) 

§ 2.52 Research activities. 

(a) Patient-identifying information may be disclosed for the purpose of conducting scientific 
research if the program director makes a determination that the recipient of the patient- 
identifying information: 

(1) Is qualified to conduct the research; 

(2) Has a research protocol under which the patient-identifying information: 

(i) Will be maintained in accordance with the security requirements of § 2.16 of these regulations 
(or more stringent requirements); and 

(ii) Will not be redisclosed except as permitted under paragraph (b) of this section; and 

(3) Has provided a satisfactory written statement that a group of three or more individuals who 
are independent of the research project has reviewed the protocol and determined that: 

(i) The rights and welfare of patients will be adequately protected; and 

(ii) The risks in disclosing patient-identifying infonnation are outweighed by the potential 
benefits of the research. 

(b) A person conducting research may disclose patient-identifying information obtained under 
paragraph (a) of this section only back to the program from which that information was obtained 
and may not identify any individual patient in any report of that research or otherwise disclose 
patient identities. 

[52 FR 21809, June 9, 1987, as amended at 52 FR 41997, Nov. 2, 1987] 

§ 2.53 Audit and evaluation activities. 

(a) Records not copied or removed. If patient records are not copied or removed, patient- 
identifying information may be disclosed in the course of a review of records on program 
premises to any person who agrees in writing to comply with the limitations on redisclosure and 
use in paragraph (d) of this section and who: 

(1) Perfonns the audit or evaluation activity on behalf of: 

(1) Any Federal, State, or local governmental agency which provides financial assistance to the 
program or is authorized by law to regulate its activities; or 

(ii) Any private person which provides financial assistance to the program, which is a third party 
payer covering patients in the program, or which is a peer review organization performing a 
utilization or quality control review; or 

(2) Is determined by the program director to be qualified to conduct the audit or evaluation 
activities. 



(b) Copying or removal of records. Records containing patient-identifying information may be 
copied or removed from program premises by any person who: 

(1) Agrees in writing to: 

(1) Maintain the patient-identifying information in accordance with the security requirements 
provided in § 2.16 of these regulations (or more stringent requirements); 

(ii) Destroy all the patient-identifying infonnation upon completion of the audit or evaluation; 
and 

(iii) Comply with the limitations on disclosure and use in paragraph (d) of this section; and 

(2) Performs the audit or evaluation activity on behalf of: 

(i) Any Federal, State, or local governmental agency which provides financial assistance to the 
program or is authorized by law to regulate its activities; or 

(ii) Any private person which provides financial assistance to the program, which is a third part 
payer covering patients in the program, or which is a peer review organization performing a 
utilization or quality control review. 

(c) Medicare or Medicaid audit or evaluation. 

(1) For purposes of Medicare or Medicaid audit or evaluation under this section, audit or 
evaluation includes a civil or administrative investigation of the program by any Federal, State, 
or local agency responsible for oversight of the Medicare or Medicaid program and includes 
administrative enforcement, against the program by the agency, of any remedy authorized by law 
to be imposed as a result of the findings of the investigation. 

(2) Consistent with the definition of program in § 2.11, program includes an employee of, or 
provider of medical services under, the program when the employee or provider is the subject of 
a civil investigation or administrative remedy, as those terms are used in paragraph (c)(1) of this 
section. 

(3) If a disclosure to a person is authorized under this section for a Medicare or Medicaid audit or 
evaluation, including a civil investigation or administrative remedy, as those terms are used in 
paragraph (c)(1) of this section, then a peer review organization which obtains the information 
under paragraph (a) or (b) may disclose the information to that person but only for purposes of 
Medicare or Medicaid audit or evaluation. 

(4) The provisions of this paragraph do not authorize the agency, the program, or any other 
person to disclose or use patient-identifying information obtained during the audit or evaluation 
for any purposes other than those necessary to complete the Medicare or Medicaid audit or 
evaluation activity as specified in this paragraph. 

(d) Limitations on disclosure and use. Except as provided in paragraph (c) of this section, 
patient-identifying information disclosed under this section may be disclosed only back to the 
program from which it was obtained and used only to carry out an audit or evaluation purpose or 
to investigate or prosecute criminal or other activities, as authorized by a court order entered 
under § 2.66 of these regulations. 



Subpart E—Court Orders Authorizing Disclosure and Use 

§ 2.61 Legal effect of order. 

(a) Effect. An order of a court of competent jurisdiction entered under this subpart is a unique 
kind of court order. Its only purpose is to authorize a disclosure or use of patient infonnation 
which would otherwise be prohibited by 42 U.S.C. 290ee-3, 42 U.S.C. 290dd-3 and these 
regulations. Such an order does not compel disclosure. A subpoena or a similar legal mandate 
must be issued in order to compel disclosure. This mandate may be entered at the same time as 
and accompany an authorizing court order entered under these regulations. 

(b) Examples. (1) A person holding records subject to these regulations receives a subpoena for 
those records: a response to the subpoena is not permitted under the regulations unless an 
authorizing court order is entered. The person may not disclose the records in response to the 
subpoena unless a court of competent jurisdiction enters an authorizing order under these 
regulations. 

(2) An authorizing court order is entered under these regulations, but the person authorized does 
not want to make the disclosure. If there is no subpoena or other compulsory process or a 
subpoena for the records has expired or been quashed, that person may refuse to make the 
disclosure. Upon the entry of a valid subpoena or other compulsory process the person 
authorized to disclose must disclose, unless there is a valid legal defense to the process other 
than the confidentiality restrictions of these regulations. 

[52 FR 21809, June 9, 1987; 52 FR 42061, Nov. 2, 1987] 

§ 2.62 Order not applicable to records disclosed without consent to researchers, auditors 
and evaluators. 

A court order under these regulations may not authorize qualified personnel, who have received 
patient-identifying infonnation without consent for the purpose of conducting research, audit or 
evaluation, to disclose that information or use it to conduct any criminal investigation or 
prosecution of a patient. However, a court order under § 2.66 may authorize disclosure and use 
of records to investigate or prosecute qualified personnel holding the records. 

§ 2.63 Confidential communications. 

(a) A court order under these regulations may authorize disclosure of confidential 
communications made by a patient to a program in the course of diagnosis, treatment, or referral 
for treatment only if: 

(1) The disclosure is necessary to protect against an existing threat to life or of serious bodily 
injury, including circumstances which constitute suspected child abuse and neglect and verbal 
threats against third parties; 



(2) The disclosure is necessary in connection with investigation or prosecution of an extremely 
serious crime, such as one which directly threatens loss of life or serious bodily injury, including 
homicide, rape, kidnapping, armed robbery, assault with a deadly weapon, or child abuse and 
neglect; or 

(3) The disclosure is in connection with litigation or an administrative proceeding in which the 
patient offers testimony or other evidence pertaining to the content of the confidential 
communications. 

§ 2.64 Procedures and criteria for orders authorizing disclosures for noncriminal purposes. 

(a) Application. An order authorizing the disclosure of patient records for purposes other than 
criminal investigation or prosecution may be applied for by any person having a legally 
recognized interest in the disclosure which is sought. The application may be filed separately or 
as part of a pending civil action in which it appears that the patient records are needed to provide 
evidence. An application must use a fictitious name, such as John Doe, to refer to any patient and 
may not contain or otherwise disclose any patient-identifying information unless the patient is 
the applicant or has given a written consent (meeting the requirements of these regulations) to 
disclosure or the court has ordered the record of the proceeding sealed from public scrutiny. 

(b) Notice. The patient and the person holding the records from whom disclosure is sought must 
be given: 

(1) Adequate notice in a manner which will not disclose patient-identifying information to other 
persons: and 

(2) An opportunity to file a written response to the application, or to appear in person, for the 
limited purpose of providing evidence on the statutory and regulatory criteria for the issuance of 
the court order. 

(c) Review of evidence: Conduct of hearing. Any oral argument, review of evidence, or hearing 
on the application must be held in the judge's chambers or in some manner which ensures that 
patient-identifying information is not disclosed to anyone other than a party to the proceeding, 
the patient, or the person holding the record, unless the patient requests an open hearing in a 
manner which meets the written consent requirements of these regulations. The proceeding may 
include an examination by the judge of the patient records referred to in the application. 

(d) Criteria for entry of order. An order under this section may be entered only if the court 
determines that good cause exists. To make this detennination the court must find that: 

(1) Other ways of obtaining the information are not available or would not be effective; and 


(2) The public interest and need for the disclosure outweigh the potential injury to the patient, the 
physician-patient relationship and the treatment services. 



(e) Content of order. An order authorizing a disclosure must: 

(1) Limit disclosure to those parts of the patient's record which are essential to fulfill the 
objective of the order. 

(2) Limit disclosure to those persons whose need for information is the basis for the order; and 

(3) Include such other measures as are necessary to limit disclosure for the protection of the 
patient, the physician-patient relationship and the treatment services; for example, sealing from 
public scrutiny the record of any proceeding for which disclosure of a patient's record has been 
ordered. 

§ 2.65 Procedures and criteria for orders authorizing disclosure and use of records to 
criminally investigate or prosecute patients. 

(a) Application. An order authorizing the disclosure or use of patient records to criminally 
investigate or prosecute a patient may be applied for by the person holding the records or by any 
person conducting investigative or prosecutorial activities with respect to the enforcement of 
criminal laws. The application may be filed separately, as part of an application for a subpoena 
or other compulsory process, or in a pending criminal action. An application must use a fictitious 
name such as John Doe, to refer to any patient and may not contain or otherwise disclose patient- 
identifying information unless the court has ordered the record of the proceeding sealed from 
public scrutiny. 

(b) Notice and hearing. Unless an order under § 2.66 is sought with an order under this section, 
the person holding the records must be given: 

(1) Adequate notice (in a manner which will not disclose patient-identifying information to third 
parties) of an application by a person performing a law enforcement function; 

(2) An opportunity to appear and be heard for the limited purpose of providing evidence on the 
statutory and regulatory criteria for the issuance of the court order; and 

(3) An opportunity to be represented by counsel independent of counsel for an applicant who is a 
person performing a law enforcement function. 

(c) Review of evidence: Conduct of hearings. Any oral argument, review of evidence, or hearing 
on the application shall be held in the judge's chambers or in some other manner which ensures 
that patient-identifying information is not disclosed to anyone other than a party to the 
proceedings, the patient, or the person holding the records. The proceeding may include an 
examination by the judge of the patient records referred to in the application. 

(d) Criteria. A court may authorize the disclosure and use of patient records for the purpose of 
conducting a criminal investigation or prosecution of a patient only if the court finds that all of 
the following criteria are met: 



(1) The crime involved is extremely serious, such as one which causes or directly threatens loss 
of life or serious bodily injury including homicide, rape, kidnapping, armed robbery, assault with 
a deadly weapon, and child abuse and neglect. 

(2) There is a reasonable likelihood that the records will disclose information of substantial value 
in the investigation or prosecution. 

(3) Other ways of obtaining the information are not available or would not be effective. 

(4) The potential injury to the patient, to the physician-patient relationship and to the ability of 
the program to provide services to other patients is outweighed by the public interest and the 
need for the disclosure. 

(5) If the applicant is a person performing a law enforcement function that: 

(i) The person holding the records has been afforded the opportunity to be represented by 
independent counsel; and 

(ii) Any person holding the records which is an entity within Federal, State, or local government 
has in fact been represented by counsel independent of the applicant. 

(e) Content of order. Any order authorizing a disclosure or use of patient records under this 
section must: 

(1) Limit disclosure and use to those parts of the patient's record which are essential to fulfill the 
objective of the order; 

(2) Limit disclosure to those law enforcement and prosecutorial officials who are responsible for, 
or are conducting, the investigation or prosecution, and limit their use of the records to 
investigation and prosecution of extremely serious crime or suspected crime specified in the 
application; and 

(3) Include such other measures as are necessary to limit disclosure and use to the fulfillment of 
only that public interest and need found by the court. 

[52 FR 21809, June 9, 1987; 52 FR 42061, Nov. 2, 1987] 

§ 2.66 Procedures and criteria for orders authorizing disclosure and use of records to 
investigate or prosecute a program or the person holding the records. 

(a) Application. (1) An order authorizing the disclosure or use of patient records to criminally or 
administratively investigate or prosecute a program or the person holding the records (or 
employees or agents of that program or person) may be applied for by any administrative, 
regulatory, supervisory, investigative, law enforcement, or prosecutorial agency having 
jurisdiction over the program's or person’s activities. 

(2) The application may be filed separately or as part of a pending civil or criminal action against 
a program or the person holding the records (or agents or employees of the program or person) in 



which it appears that the patient records are needed to provide material evidence. The application 
must use a fictitious name, such as John Doe, to refer to any patient and may not contain or 
otherwise disclose any patient-identifying information unless the court has ordered the record of 
the proceeding sealed from public scrutiny or the patient has given a written consent (meeting 
the requirements of § 2.31 of these regulations) to that disclosure. 

(b) Notice not required. An application under this section may, in the discretion of the court, be 
granted without notice. Although no express notice is required to the program, to the person 
holding the records, or to any patient whose records are to be disclosed, upon implementation of 
an order so granted any of the above persons must be afforded an opportunity to seek revocation 
or amendment of that order, limited to the presentation of evidence on the statutory and 
regulatory criteria for the issuance of the court order. 

(c) Requirements for order. An order under this section must be entered in accordance with, and 
comply with the requirements of, paragraphs (d) and (e) of § 2.64 of these regulations. 

(d) Limitations on disclosure and use of patient-identifying information: (1) An order entered 
under this section must require the deletion of patient-identifying information from any 
documents made available to the public. 

(2) No infonnation obtained under this section may be used to conduct any investigation or 
prosecution of a patient, or be used as the basis for an application for an order under § 2.65 of 
these regulations. 

§ 2.67 Orders authorizing the use of undercover agents and informants to criminally 
investigate employees or agents of a program. 

(a) Application. A court order authorizing the placement of an undercover agent or informant in a 
program as an employee or patient may be applied for by any law enforcement or prosecutorial 
agency which has reason to believe that employees or agents of the program are engaged in 
criminal misconduct. 

(b) Notice. The program director must be given adequate notice of the application and an 
opportunity to appear and be heard (for the limited purpose of providing evidence on the 
statutory and regulatory criteria for the issuance of the court order), unless the application asserts 
a belief that: 

(1) The program director is involved in the criminal activities to be investigated by the 
undercover agent or infonnant; or 

(2) The program director will intentionally or unintentionally disclose the proposed placement of 
an undercover agent or informant to the employees or agents who are suspected of criminal 
activities. 


(c) Criteria. An order under this section may be entered only if the court determines that good 
cause exists. To make this determination the court must find: 



(1) There is reason to believe that an employee or agent of the program is engaged in criminal 
activity; 

(2) Other ways of obtaining evidence of this criminal activity are not available or would not be 
effective; and 

(3) The public interest and need for the placement of an undercover agent or infonnant in the 
program outweigh the potential injury to patients of the program, physicianBpatient relationships 
and the treatment services. 

(d) Content of order. An order authorizing the placement of an undercover agent or informant in 
a program must: 

(1) Specifically authorize the placement of an undercover agent or an infonnant; 

(2) Limit the total period of the placement to 6 months; 

(3) Prohibit the undercover agent or infonnant from disclosing any patient-identifying 
information obtained from the placement except as necessary to criminally investigate or 
prosecute employees or agents of the program; and 

(4) Include any other measures which are appropriate to limit any potential disruption of the 
program by the placement and any potential for a real or apparent breach of patient 
confidentiality; for example, sealing from public scrutiny the record of any proceeding for which 
disclosure of a patient's record has been ordered. 

(e) Limitation on use of information. No information obtained by an undercover agent or 
informant placed under this section may be used to criminally investigate or prosecute any 
patient or as the basis for an application for an order under § 2.65 of these regulations. 


Appendix B—Managed Care and Client 

Confidentiality 

As managed care plans proliferate across the country, alcohol and other drug (AOD) treatment 
providers and single State agencies have become increasingly concerned about the impact of 
these plans on client confidentiality. Managed care plans vary from State to State and from 
program to program, yet all require some communication between a client's AOD treatment 
provider and his or her managed care plan. 

Some managed care plans require client information from treatment programs to perform 
"gatekeeping" functions—preapproving treatment plans and monitoring admissions and lengths 
of stay. Other managed care programs, such as health maintenance organizations (HMOs) that 




provide primary health care and AOD treatment services either directly or through network 
providers, require information to coordinate care as well as to perform gate-keeping functions. 

Depending on the purpose of the communication and the role of the managed care provider, 
different issues relating to confidentiality arise. This appendix addresses the ways in which AOD 
treatment programs, under the Federal confidentiality law and regulations, may communicate 
with managed care providers while still protecting clients' confidentiality rights. Also discussed 
are the confidentiality issues that programs have to consider as they explore ways to restructure 
the delivery of AOD treatment in a managed care environment. This appendix provides answers 
for the eight most frequently asked questions about managed care and client confidentiality. 

1. What is the overall relationship between the Federal confidentiality law and 
regulations (42 U.S.C. Sec. 290dd-2; 42 C.F.R. Part 2) and managed care plans? 

The Federal confidentiality law and regulations prohibit Federally assisted AOD programs from 
disclosing any records or other information about any patient except under certain specified 
conditions. Programs that are covered by the regulations are those that, in whole or in part, 
provide AOD diagnosis, treatment, or referral for treatment. Thus, programs that are covered by 
the regulations cannot disclose any "patient-identifying information" (i.e., any infonnation that 
would identity a client as having an AOD problem or receiving AOD services) to managed care 
plans unless the specific conditions laid out in the regulations are met. 

With the advent of managed care, many health care providers that have not traditionally fallen 
under the Federal confidentiality regulations now meet the definition of a program that must 
follow the regulations. For example, some for-profit AOD treatment programs have only 
accepted payment from insurance companies or patients themselves. These programs do not 
receive Federal assistance of any kind, either directly or indirectly, and, unless required to do so 
by the State where they do business, have not had to follow the Federal regulations. Increasingly, 
however, many of these programs have joined managed care networks, such as HMOs, that do 
receive some Federal funding. Consequently, these treatment programs now indirectly receive 
Federal funds and must follow the regulations. 

Similarly, many managed care organizations, such as HMOs, that have not traditionally had to 
follow the regulations are now providing the type of service and receiving the type of Federal 
assistance that bring them under the regulations. Many of these plans, typically HMOs, are 
beginning to provide AOD treatment directly or are performing assessments and diagnoses and 
referring patients for treatment. In addition, because plans that have historically accepted only 
privately insured patients are, in growing numbers, becoming part of Medicaid managed care and 
received Federally assisted Medicaid payments, they are now receiving Federal assistance. Thus, 
they too have to follow the regulations whenever they make a disclosure that involves patient- 
identifying information. 

2. What exceptions to the confidentiality law and regulations apply when a treatment 
program wishes to communicate with a managed care entity? 



Depending on the purpose of the disclosure and the relationship between the treatment program 
and the managed care entity, several options, or "exceptions," under the Federal confidentiality 
regulations may enable programs to disclose client information to managed care providers. These 
options include written consent, a qualified service organization agreement (QSOA), audit or 
evaluation, internal communications, and medical emergency. 

(a) Proper consent 

Treatment programs may make a disclosure to a managed care provider if the client signs a valid 
consent fonn. The consent form must comply with the requirements of § 2.31 of the Federal 
confidentiality regulations and must be accompanied by the notice prohibiting redisclosure that is 
required by § 2.32. 

To protect their clients' rights, programs are advised to consult with their clients' managed care 
providers whenever possible to ascertain how they intend to use the infonnation. Despite the 
prohibition on redisclosure, managed care providers frequently redisclose to third parties (e.g., 
insurance companies, other health care providers, government agencies) information that 
identifies the client as having received AOD services. 

If the program learns that the managed care provider will be redisclosing information, then it 
may decide to draft the original consent form in such a way that permits the redisclosure by the 
managed care agent. This helps ensure that the client is truly making an informed decision about 
whether to consent to the disclosure. Programs also have the option of drafting a consent form 
that allows for three-way communication (e.g., a situation in which the treatment program, the 
managed care provider, and another health care provider need to discuss and coordinate the 
client's care), as long as the purpose for the disclosure and the nature of the infonnation to be 
disclosed are the same. 

(b) Qualified service organization agreement 

A treatment program may enter into a QSOA with a managed care provider if the managed care 
provider renders the type of service that qualifies it as a "service organization." Under §2.11 of 
the regulations, a "qualified service organization" (QSO) is a person or agency that provides 
services to the program, such as legal, medical, accounting, laboratory analyses, or other 
professional services. 

To become a QSO, an organization must agree in writing to (1) follow the Federal rules in 
handling the information it receives from the AOD program and (2) challenge in court any 
unauthorized attempt to obtain that information, as a covered AOD program must also do. Once 
the agreement is signed, the treatment program may freely communicate information from 
patient records to the QSO without patient consent—but only the information that is needed by 
the QSO in order to provide services to the program. 

Thus, if a managed care program provides a service that qualifies it as a service organization, as 
defined in § 2.11, and if it is willing to sign a QSOA, then the treatment program may give the 
managed care provider the infonnation it needs to perform its services without the client's 



consent. It is therefore crucial to look at the type of service being provided by a managed care 
entity to detennine whether it is, in fact, a QSO. The following examples, depicting the most 
frequent managed care functions, illustrate the point: 


A. The ABC insurance company, a third-party payer, uses a managed care provider to 
determine whether it should pay for treatment. The managed care provider requires 
specific information from the program in order to make its determinations. 

A treatment program cannot enter into a QSOA with a managed care provider in this 
situation. Reimbursement for treatment is not a "service" being provided to the treatment 
program within the above definition of a service organization. Thus, to make disclosures 
to a managed care company for the purpose of receiving authorization and reimbursement 
for treatment, a program has to obtain the patient's written consent, as discussed above. 

B. An HMO managed care provider requires all its members who need AOD treatment 
services to come to its facility to be assessed. If a member is assessed as needing 
treatment, then he or she will either be seen at the HMO or referred to an outside 
treatment provider, depending on the diagnosis. 

An HMO that conducts assessments for an AOD program is providing a service. 

However, the HMO cannot sign a QSOA with the program it is assisting if it is also a 
"program" that falls under the Federal confidentiality regulations. This is because the 
U.S. Department of Health and Human Services (DHHS), the agency empowered to 
interpret and enforce the Federal confidentiality law and regulations, has ruled that a 
program that falls under the Federal confidentiality regulations may not be considered a 
"service organization" except in limited circumstances. In 1978, DHHS issued an opinion 
letter stating that a QSOA could only be signed between two programs covered by the 
regulations if one program (the "service organization") was providing a service other than 
an AOD service (Legal Opinion No. 78-27, issued December 6, 1978, by the Office of 
the General Counsel, Public Health Division, DHHS). 

Thus, if this HMO is covered by the regulations (i.e., if it receives Federal assistance and 
it provides AOD diagnosis, treatment, or referral for treatment), then it cannot be 
considered a QSO because it is performing an AOD treatment service—that is, 
conducting assessments—for the treatment program. 

If the HMO does not fall under the regulations (i.e., if it receives no Federal assistance of 
any kind), then the outside treatment program and the HMO can enter into a QSOA. 

C. Individuals enrolled in the ABC managed care program can receive treatment from any 
certified AOD treatment programs but must be seen by the physicians in the managed 
care program’s network for primary health care services. This might occur in three ways: 

• if the managed care provider has physicians on staff; 

• if the managed care provider has a preferred provider list of physicians and allows its 
patients to receive health care services from physicians on that list without the managed 
care provider’s approval; or 



• if the managed care provider has a contractual relationship with the physicians in its 
network, but patients cannot be seen by those physicians without a referral from the 
managed care plan. 

Medical services are clearly the type of services that can qualify an organization as a QSO. In the 
first example, because the managed care provider is itself rendering medical services to treatment 
program clients, it can be considered a "service organization." Thus, a QSOA can be signed 
between the treatment program and the managed care provider for the provision of health care 
services to the treatment program's clients. The treatment program should make sure that the 
QSOA specifies the nature of the service to be provided by the managed care program, so it can 
limit how the managed care program can use client information. 

In the second two examples, the managed care providers do not provide primary health care 
services directly; instead, they contract out for those services. Because treatment providers in the 
second example do not need to involve the managed care provider when referring clients for 
health care services, they have no need for a QSOA with the managed care provider. Instead, 
they can sign QSOAs with the treating health care providers. Should the health care providers 
need to give information to the managed care provider in order to get reimbursed for services 
rendered, under the tenns of the QSOA, they cannot not reveal any information they received 
from the treatment providers that would identify referred clients as having AOD problems or 
receiving AOD services. 

In the third example, the managed care provider is providing a service to the treatment program, 
that is, referral for primary care services for its clients. Therefore, the treatment program can sign 
a QSOA with the managed care provider for the provision of referral services. Should the need 
exist, the treatment program can also sign QSOAs with the health care providers who are 
actually treating its clients. However, as in the second example, neither the managed care 
provider nor the physicians would be allowed to share AOD patient-identifying information 
received from the treatment programs with each other. Instead, they would have to use one of the 
three methods described in the preceding paragraph. 

(c) Internal communications 

In some circumstances, HMOs and other managed care providers directly provide AOD 
treatment, and thus the treatment program and the managed care provider are one entity. The 
Federal regulations do pennit AOD records to be shared between program personnel or with "an 
entity that has direct administrative control over the program" if the communication occurs 
"between or among personnel having a need for the information in connection with their duties 
that arise out of the provision of diagnosis, treatment, or referral for treatment of alcohol or drug 
abuse" (§ 2.12(c)(3)). 

Disclosures between an AOD unit and other parts of a managed care program are authorized 
without patient consent if those disclosures are necessary to provide the AOD services. These 
might include communications to the managed care provider's central-billing or record-keeping 
departments or laboratory. 



(d) Medical emergency 


In certain circumstances, disclosures may also be made by treatment providers to their clients' 
managed care providers to the extent necessary to meet a bona fide "medical emergency" 
affecting the patient or any other person (§ 2.51). The medical emergency exception authorizes a 
program to disclose patient-identifying information to "medical personnel" who "have a need for 
information about a patient for the purpose of treating a condition which poses an immediate 
threat to the health of any individual and which requires immediate medical intervention" (§ 
2.51(a)). 

Thus, if a managed care program provides direct health care services, it can clearly be seen as 
"medical personnel" and can receive information from a treatment program when a client's 
condition poses an immediate threat to his or her health or that of others and requires immediate 
medical intervention. 

The same is not true, however, if the managed care provider does not directly provide health care 
services but rather merely pays for the emergency care. If a managed care provider allows clients 
to receive emergency care at an emergency room but requires notification within a specified 
period of time, then the managed care provider is acting as a third-party payer and not a 
treatment provider and cannot receive information from a treatment program under the medical 
emergency exception. 

However, medical personnel who treat the client for the emergency can contact the managed care 
provider for the purpose of getting reimbursed for the services rendered, even if that 
communication reveals that the client has an AOD problem. The restrictions on disclosures under 
the Federal confidentiality regulations do not apply to medical personnel who receive 
information from treatment programs for the purpose of treating a medical emergency (§ 
2.12(d)(2)). 

(e)Audit and evaluation 

Federal, State, or local government agencies that provide financial assistance to a program and 
managed care providers that are third-party payers covering patients in the program may 
examine patient records for the purpose of perfonning an audit or evaluation of the program (§ 
2.53). This "audit-and-evaluation" exception is a narrow one, designed only to pennit financial 
and programmatic evaluation of a program's functions. 

If a managed care provider wishes to see patient records to preauthorize or pay for treatment, 
then it may not do so without obtaining the client's consent. Such a review is not for detennining 
how the program is functioning financially or otherwise and thus does not fit within the audit- 
and-evaluation exception. 

Any managed care organization or agency that conducts an audit or evaluation must agree in 
writing that it will redisclose patient-identifying information only (1) back to the program, (2) 
pursuant to a court order to investigate or prosecute the program (not a patient), or (3) to a 



government agency that is overseeing a Medicare or Medicaid audit or evaluation (§ 2.53(c), 

(d)). 

3. In general, what kinds of records should AOD providers be willing to share with a 
managed care entity if the appropriate exceptions are in effect? 

Managed care organizations request information for many different reasons. As noted above, 
managed care plans sometime require client infonnation from treatment programs to perform 
"gatekeeping" functions—preapproving treatment plans and monitoring admissions and lengths 
of stay. At other times, managed care programs require information to coordinate care or to 
document that the patient's treatment is reimbursable. 

Managed care entities appear to be requesting ever greater amounts of information about clients 
both before they approve treatment and as treatment progresses. Some managed care plans ask to 
see clients' entire files, sometimes dating back years. Whenever infonnation is shared with 
insurance carriers and managed care entities, significant dangers arise to patient privacy. Many 
managed care plans, especially those that are part of private insurance companies, routinely share 
information through vast computerized networks. 

For these reasons, AOD programs making disclosures to managed care entities should try to 
negotiate a more limited disclosure because the regulations limit even consented disclosures to 
only that information necessary to meet the intended purpose (§ 2.13(a)). Programs can often 
convince insurance companies to be satisfied with less information than they initially sought. 

For example, determinations of eligibility for third-party payments often can be made without 
extensive disclosure of the patient's clinical record. Restricting disclosure to reasonably 
necessary information means that the program should communicate only the minimum amount 
of information required to show that the patient has received treatment and that such treatment is 
reimbursable. If the managed care entity asks for more detail, then the treatment program should 
question the necessity of divulging further information and, if necessary, appeal the request for 
additional infonnation within the plan or to the State insurance department. Some States now 
regulate the actions of managed care entities. Of course, if a managed care plan insists on 
additional documentation before approving admission or processing a claim, its action is in 
accordance with State law, and the patient consents, then the program may have little choice but 
to comply. 

4. If a client who is covered by a managed care payer is mandated into AOD 
treatment, must the managed care company pay for the service that is mandated? 

This is a complicated question. If an insurance company or a managed care plan provides 
coverage that includes reimbursement for AOD treatment that is "medically necessary," then its 
decision to reimburse should be based on whether the treatment being mandated meets that 
criterion and not on the referral source. If a managed care plan takes the position that any care 
mandated by court is not, by definition, medically necessary, then that decision most likely 
violates the terms and conditions of its contract with the member and should be appealed. 



Some managed care plans, however, will not explicitly state that they will not reimburse for 
mandated services but set up procedures that virtually ensure that result. For example, some 
managed care plans will not accept the assessment of intennediate sanctions programs or other 
assessors who are outside of the managed care network. Yet, at the same time, the managed care 
plan will not come to court or jail to perfonn its own assessments, creating a "Catch 22" in which 
offenders cannot be diverted or released unless they have a program to go to but cannot be 
assessed and treated unless they have been diverted or released. 

Practices such as these threaten to disrupt tremendously the criminal justice system and family 
courts because these systems increasingly rely on AOD treatment both to rehabilitate offenders 
and to reduce unnecessary reliance on incarceration. Barring State legislation or regulation that 
requires managed care plans to pay for court-mandated services, patients should be advised to 
appeal any denial of reimbursement for such services and, if unsuccessful, file complaints with 
their State health and/or insurance department. 

5. When clients are mandated into AOD, who/what determines which records are to be 
made available to the managed care provider? The mandating agency (i.e., court) or 
the AOD program? 

Courts mandating individuals into treatment generally will not have any interest in directing 
what records should be made available to managed care providers. Courts will often, however, 
have an interest in receiving periodic reports from the AOD program about the progress of the 
individual mandated into treatment. In such a situation, the program should get the client’s 
consent to disclose the information requested to the court. This usually includes infonnation 
about the client's prognosis, attendance or lack of attendance at treatment sessions, and his or her 
cooperation with the treatment program. 

If a managed care plan is reimbursing an AOD program for services rendered to clients 
mandated into treatment, then that managed care plan will have the same interest in obtaining 
information about those mandated clients as they have in nonmandated clients. As noted above, 
this may involve the managed care plan asking for more infonnation than the program believes is 
necessary to accomplish the disclosure's purpose. The program should then question the 
necessity of making such an extensive disclosure and try to negotiate a more limited disclosure 
with the managed care company. This may include the initial evaluation and diagnosis; a 
summary of the treatment plan; the patient’s attendance, progress, and compliance; and the 
discharge plan. 

6. What disclosures are permitted by the confidentiality law and regulations when an 
AOD program contacts a managed care company to certify the client's eligibility? 

If the managed care provider requires an AOD program to get preauthorization before providing 
treatment, the program must obtain the client's consent before contacting the managed care 
provider. The Federal confidentiality regulations define the term "patient" as "any individual 
who has applied for or been given diagnosis or treatment for alcohol or drug abuse" (§ 2.11). 
Thus, once the client applies to the program for services, he or she is protected by the Federal 
confidentiality law, and information that would identify the client as an alcohol or drug abuser 



cannot be divulged by the program without his or her consent. Because calling a managed care 
plan to ask whether John Smith has coverage for AOD treatment is a disclosure that John Smith 
has applied for such services, Mr. Smith's consent is required before the program can make the 
call. 

7. As AOD programs form networks to provide a range of services to clients of 
managed care entities, how do the components of the network share information? 
When and how do the networks share information with the managed care entity? 

As AOD programs explore ways to restructure the service of the services so that they can adapt 
to the managed care environment, many are beginning to form networks. These networks are 
being configured in different ways. Depending on how these networks are designed, different 
options under the Federal regulations will enable the components to share infonnation. 

For example, some AOD programs are coming together and setting up whole new programs that 
offer a full range of treatment services. These programs are not maintaining their own unique 
identities but rather are merging and creating a new identity. The different components of this 
new program can discuss patient-identifying information with each other following the internal 
communications provisions set out in the Federal regulations and explained in question 2. 

Thus, if one component is responsible for the initial intake and referral to the appropriate service 
component, and if the different parts of the agency meet periodically to discuss a patient's 
progress and decide that a different approach may be warranted, and if this information is given 
to the billing department so that the program can get paid by the managed care plan, then all of 
these disclosures are permitted under the internal communications option described in the 
Federal regulations because the recipients in each case need the information to provide the AOD 
service. 

Other programs are fonning more loosely connected networks. They are not giving up their own 
separate identities but rather are working together to develop the kind of comprehensive service 
package that is attractive to managed care entities. Because these are all separate programs, the 
internal communication option is not available to such a network. Nor can these programs sign 
QSOAs with each other, because, as noted above, two programs that are covered by the 
regulations cannot sign a QSOA for the purpose of providing an AOD service. 

Thus, the only option available to such a network is the use of consent forms. Rather than each 
program having to draft its own consent form before it can disclose information to the other 
network members, however, the regulations do allow for the signing of multiparty consent fonns. 
The key to such a form is making sure that it authorizes each party listed on the form to disclose 
the infonnation specified to all the other parties on the form. For example, a patient can sign a 
consent form that states "the following treatment programs are authorized to disclose to and 
communicate with one another" the following specified infonnation "for the purpose of 
coordinating my care and providing my treatment." 



If the network is using a multiparty consent form, it must make sure that the same kind and 
amount of information will be shared, for the same common purpose, among all those authorized 
to receive and/or disclose that infonnation. 

When and how the various types of networks can share information with the managed care entity 
is discussed in question 2. 

8 . What are some of the other consumer rights that patients of AOD programs should 
know regarding managed care? 

Besides the confidentiality protections afforded to patients in AOD programs, some States have 
passed legislation regulating managed care practices and containing numerous consumer 
protections. Depending on the legislation, the following protections exist for patients regarding 
managed care: 

• plans must use nationally recognized assessment criteria and must disclose the criteria, 
standards, procedures, and methods used in making detenninations; 

• managed care plans are prohibited from offering incentives to their employees to increase 
the number of adverse determinations; 

• initial decisions and decisions on appeal must be made by reviewers who have an 
expertise in the field they are reviewing; 

• plans must make decisions within certain specified times; 

• plans must ensure timely telephone access to review agents and timely access to care; 

• plans must provide complete infonnation about their health plan, including information 
about the package of benefits, choice of provider, and limits on service and out-of-pocket 
costs, including copayments; and 

• plans must specify the process by which patients are notified of adverse determinations 
and the process by which patients can file grievances and appeal adverse determinations; 
in some States, patients have a right to an independent review. 



